Axios Security Flaw CVE-2026-42035 Enables HTTP Header Injection via Prototype Pollution

A critical security vulnerability has been disclosed in Axios, one of the most widely used HTTP clients in the JavaScript ecosystem. Tracked as CVE-2026-42035 and associated with GitHub Security Advisory GHSA-6chq-wfr3-2hj9, the flaw allows attackers to inject arbitrary HTTP headers into outgoing requests through a prototype pollution gadget located in the Axios HTTP adapter at lib/adapters/http.js. The vulnerability affects versions prior to the 1.15.2 patch, prompting urgent upgrade recommendations across dependent projects.

The prototype pollution vector represents a particularly insidious class of vulnerability in JavaScript environments. By manipulating object prototypes, an attacker can potentially alter the behavior of all objects inheriting from the polluted prototype. In this case, the gadget enables unauthorized header injection, which could facilitate request smuggling, authentication bypass, or data exfiltration depending on how the library is deployed within an application's architecture. Organizations running server-side Axios instances in Node.js environments face elevated risk due to the potential for downstream security implications.

The security advisory has triggered automated dependency update pull requests across countless repositories, with package managers like pnpm flagging the update path from version 1.14.1 to 1.15.2. Development teams maintaining applications that rely on Axios for HTTP communications should treat this as a high-priority remediation task. The OpenSSF Scorecard integration on the Axios repository provides additional supply-chain security context for teams evaluating the trustworthiness of the patched release. Given Axios's pervasive adoption—powering HTTP requests in frontend frameworks, backend services, and API integrations—the vulnerability's blast radius spans the entire JavaScript development landscape.