CVE-2026-42035: Axios Header Injection via Prototype Pollution Gadget

Axios operates as a widely adopted promise-based HTTP client for both browser and Node.js environments. The vulnerability resides specifically within the Node.js HTTP adapter, located at lib/adapters/http.js. This component manages the construction and transmission of outbound HTTP requests when Axios executes outside a browser context.

The flaw manifests as a Prototype Pollution gadget, tracked under CWE-1321. Axios itself does not expose the primary prototype pollution primitive required to initiate the attack. Instead, the library acts as a highly privileged execution sink. An attacker must exploit an independent vulnerability within the application or its dependency tree to pollute the global object prototype before this gadget becomes active.

The core mechanism of the vulnerability involves the adapter's insecure implementation of duck-typing used to evaluate request payloads. When an application passes data to Axios, the adapter attempts to determine if the payload is a FormData instance. It does this by checking for the existence of specific methods and properties, executing them if found, and merging the results into the request headers.

The resulting impact is HTTP Header Injection. Because the duck-typing checks traverse the prototype chain, a polluted global object allows attackers to force plain JavaScript object payloads to mimic FormData instances. The adapter then executes an attacker-controlled function from the prototype, returning arbitrary key-value pairs that are directly injected into the outgoing network stream.

The root cause of CVE-2026-42035 lies in the adapter's logic for automatically extracting headers from FormData instances. When developers utilize the form-data package, Axios is designed to seamlessly integrate by calling the getHeaders() method provided by the FormData object. This ensures that essential headers, such as Content-Type with the dynamically generated multipart boundary, are correctly appended to the request.

To identify a FormData object, Axios employs a utility function named utils.isFormData(data). This function relies on duck-typing, evaluating the object based on its behavior rather than its explicit class constructor. The utility checks for the presence of an append method and assesses the object's string representation by evaluating the Symbol.toStringTag property or the default toString output.

The critical error occurs because Axios accesses these properties and methods using standard dot notation without verifying their origin. In JavaScript, standard property lookups inherently traverse the prototype chain. The adapter fails to utilize explicit "own property" checks, meaning it cannot distinguish between a method explicitly defined on the payload object and a method inherited from Object.prototype.

This missing verification establishes the execution sink. If an attacker successfully pollutes Object.prototype with malicious getHeaders, append, and Symbol.toStringTag properties, all subsequent plain JavaScript objects created within the application inherit these traits. When Axios processes a request containing a plain object payload, the duck-typing checks resolve the inherited properties, validate the payload as FormData, and execute the malicious getHeaders function.

The original, vulnerable implementation in lib/adapters/http.js evaluated the payload using a simple conditional statement. The code executed headers.set(data.getHeaders()) immediately after utils.isFormData(data) returned true and data.getHeaders evaluated as a valid function. This implementation implicitly trusted the output of the prototype chain traversal.

// Vulnerable Implementation
if (utils.isFormData(data) && utils.isFunction(data.getHeaders)) {
  headers.set(data.getHeaders());
}

The primary remediation, introduced in commit f53ebf21989164a1f41b85f012bc545c17df7f16, hardens the conditional check by enforcing explicit "own property" verification. The developers replaced the utils.isFunction(data.getHeaders) check with a direct call to Object.prototype.hasOwnProperty. This modification breaks the prototype traversal, ensuring that the getHeaders method must exist directly on the payload object instance.

// Patched Implementation
if (utils.isFormData(data) && Object.prototype.hasOwnProperty.call(data, 'getHeaders')) {
  headers.set(data.getHeaders());
}

By utilizing Object.prototype.hasOwnProperty.call(data, 'getHeaders'), the adapter safely bypasses the prototype chain entirely. Even if Object.prototype contains a polluted getHeaders function, the check will evaluate to false when processing a standard plain object payload. This specific patch effectively neutralizes the primary gadget execution path without disrupting legitimate FormData functionality.

Beyond addressing the prototype pollution execution sink, the Axios maintainers implemented secondary defense-in-depth measures to mitigate broader header injection risks. Attackers often chain header injection flaws with HTTP Request Splitting (CWE-113) by injecting Carriage Return Line Feed (CRLF) sequences into header values. This technique allows attackers to append supplementary headers or entirely new HTTP bodies to the request stream.

Commit 163da7226fd2cd21f0f238f99b2f75a51bf9b2a3 introduces an explicit sanitization routine for header values. The implementation defines a regular expression, INVALID_HEADER_VALUE_CHARS_RE, which matches any characters outside the standard printable ASCII range, specifically targeting control characters like \x0D (CR) and \x0A (LF).

const INVALID_HEADER_VALUE_CHARS_RE = /[^\x09\x20-\x7E\x80-\xFF]/g;
 
function sanitizeHeaderValue(str) {
  return trimSPorHTAB(str.replace(INVALID_HEADER_VALUE_CHARS_RE, ''));
}

The sanitizeHeaderValue function is now applied systematically to header values before they are written to the underlying Node.js HTTP request object. This approach strips invalid characters silently, ensuring that even if an alternative path for header injection is discovered, the attacker cannot leverage it to corrupt the HTTP protocol boundaries.

Exploiting this vulnerability requires the attacker to fulfill specific prerequisites. The primary requirement is an independent mechanism capable of polluting the global Object.prototype within the target application's memory space. This pollution typically originates from insecure recursive merge functions, flawed JSON parsing logic, or vulnerable templating engines running elsewhere in the Node.js environment.

Once the pollution vector is established, the attacker crafts a payload designed to populate Object.prototype with the methods required to bypass the duck-typing checks. The payload defines a functional getHeaders property that returns the desired malicious HTTP headers. Additionally, it defines an append function and modifies Symbol.toStringTag to return the string 'FormData', satisfying the conditions of utils.isFormData().

The attacker must then wait for, or actively trigger, a legitimate Axios request within the application. The specific requirement for the targeted request is that it must utilize a plain JavaScript object as the data payload. Requests sending strings, streams, or pre-constructed buffers will bypass the vulnerable conditional branch entirely.

Upon execution of the targeted Axios request, the adapter incorrectly evaluates the plain object payload as a valid FormData instance due to the inherited properties. The adapter invokes the polluted getHeaders function and sequentially calls headers.set() for each returned key-value pair. The outbound HTTP request is subsequently transmitted containing the attacker's injected headers.

CVE-2026-42035 represents a significant risk to affected applications, characterized by a CVSS v3.1 base score of 7.4. The vulnerability operates over a network attack vector and requires no specialized user interaction or elevated privileges, provided the prerequisite prototype pollution primitive exists. The primary impact domains are confidentiality and integrity, as the flaw allows attackers to completely control the metadata of outbound network requests.

The most critical consequence involves authorization bypass and identity spoofing. By injecting headers such as Authorization: Bearer <token> or X-Forwarded-User, an attacker can elevate their privileges when the Axios request interacts with downstream internal APIs or microservices. The target server processes the request using the injected credentials, effectively executing actions on behalf of the attacker with the application's authorized context.

Furthermore, the ability to manipulate arbitrary headers facilitates advanced request smuggling and routing bypass techniques. Attackers can modify headers like Host, X-Forwarded-For, or Via to deceive internal load balancers, Web Application Firewalls (WAFs), or reverse proxies. This capability allows attackers to access restricted internal endpoints or bypass IP-based access controls.

The widespread integration of Axios within the Node.js ecosystem exacerbates the overall risk profile. While Axios itself does not introduce the prototype pollution primitive, the presence of this execution sink transforms otherwise benign prototype pollution bugs into direct vectors for Server-Side Request Forgery (SSRF) and remote access compromise.