Axios Security Flaw CVE-2026-42035: Prototype Pollution Enables HTTP Header Injection

A security vulnerability in axios, one of the JavaScript ecosystem's most widely-adopted HTTP client libraries, has prompted an urgent patch release. The flaw, tracked as CVE-2026-42035 and disclosed under GitHub Security Advisory GHSA-6chq-wfr3-2hj9, reveals a prototype pollution gadget within the library's HTTP adapter that could allow attackers to inject arbitrary HTTP headers into outgoing requests. The vulnerability resides in the core HTTP adapter implementation at lib/adapters/http.js, affecting axios version 1.15.0 and necessitating an immediate upgrade to version 1.15.1.

The technical mechanism involves prototype pollution—a class of vulnerability particularly relevant to JavaScript's object inheritance model. By exploiting this gadget, an attacker with the ability to influence request configuration could potentially inject unauthorized headers into HTTP requests being transmitted by the library. Axios, which powers HTTP communication for an enormous number of web applications, Node.js services, and API integrations, represents a high-value target in the software supply chain. The header injection capability raises concerns about potential downstream attacks, including request smuggling, authentication header manipulation, and data exfiltration through modified request routing.

The patched version (1.15.1) is now available through standard package managers, and the security advisory recommends immediate updates for all projects currently running affected versions. Development teams should audit their dependency trees for axios usage, particularly in applications handling authentication credentials, API keys, or sensitive data transmission. This incident reinforces the critical importance of dependency monitoring and rapid patch adoption for foundational libraries in the JavaScript supply chain, where a single vulnerability can cascade across thousands of dependent projects.