Axios Security Advisory: Prototype Pollution Flaw Enables HTTP Header Injection (CVE-2026-42035)

A security vulnerability has been disclosed in Axios, one of the most widely deployed HTTP client libraries in the JavaScript ecosystem. The flaw, tracked as CVE-2026-42035 and documented under GitHub Security Advisory GHSA-6chq-wfr3-2hj9, exposes a prototype pollution gadget within the library's HTTP adapter that could allow attackers to inject arbitrary HTTP headers into outgoing requests. The vulnerability affects Axios versions prior to 1.15.2, prompting an urgent dependency update across projects that rely on the package for HTTP communication.

The vulnerability is located in lib/adapters/http.js, where improper handling of object prototypes creates an exploitable pathway for header injection. Prototype pollution attacks exploit JavaScript's prototype chain mechanism, enabling malicious actors to manipulate object properties that propagate through application logic. In this instance, the gadget allows unauthorized header manipulation in HTTP requests initiated by affected Axios installations. Given Axios's role as a foundational HTTP client—used in Node.js backends, frontend frameworks, and API integrations—the potential attack surface spans a significant portion of modern web application infrastructure.

Security teams and developers are advised to update Axios to version 1.15.2 or later. Automated dependency management tools such as Renovate have flagged the update with high confidence, reflecting the severity of the advisory. Organizations with pinned dependencies or legacy versions face elevated exposure, particularly in environments where Axios handles authenticated requests or communicates with sensitive internal APIs. The disclosure highlights the persistent risk of prototype pollution vulnerabilities in JavaScript ecosystems and reinforces the importance of proactive dependency monitoring for production systems.