CVE-2026-44489 - Vulnerability Details

CVE-2026-44489 - Axios: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix

Axios is a promise based HTTP client for the browser and Node.js. From 1.15.2 to before 1.16.0, nested objects created by utils.merge() (e.g., config.proxy) are still constructed as plain {} with Object.prototype in their chain. The setProxy() function at lib/adapters/http.js:209-223 reads proxy.username, proxy.password, and proxy.auth without hasOwnProperty checks. When Object.prototype.username is polluted, setProxy() constructs a Proxy-Authorization header with attacker-controlled credentials and injects it into every proxied HTTP request. This vulnerability is fixed in 1.16.0.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Axios	Axios

Configuration 1 [-]

cpe:2.3:a:axios:axios:1.15.2:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://github.com/axios/axios/security/advisories/GHSA-654m-c8p4-x5fp
https://nvd.nist.gov/vuln/detail/CVE-2026-44489
https://www.cve.org/CVERecord?id=CVE-2026-44489

History

Mon, 15 Jun 2026 16:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:axios:axios:1.15.2:::::node.js::

Fri, 12 Jun 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-346
References		https://nvd.nist.gov/vuln/detail/CVE-2026-44489 https://www.cve.org/CVERecord?id=CVE-2026-44489
Metrics	threat_severity `None`	threat_severity `Low`

Thu, 11 Jun 2026 20:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Axios Axios axios
Vendors & Products		Axios Axios axios

Thu, 11 Jun 2026 19:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 11 Jun 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		Axios is a promise based HTTP client for the browser and Node.js. From 1.15.2 to before 1.16.0, nested objects created by utils.merge() (e.g., config.proxy) are still constructed as plain {} with Object.prototype in their chain. The setProxy() function at lib/adapters/http.js:209-223 reads proxy.username, proxy.password, and proxy.auth without hasOwnProperty checks. When Object.prototype.username is polluted, setProxy() constructs a Proxy-Authorization header with attacker-controlled credentials and injects it into every proxied HTTP request. This vulnerability is fixed in 1.16.0.
Title		Axios: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix
Weaknesses		CWE-113 CWE-1321
References		https://github.com/axios/axios/security/advisories/GHSA-654m-c8p4-x5fp
Metrics		cvssV3_1 `{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-11T15:30:44.798Z

Updated: 2026-06-11T18:17:09.112Z

Reserved: 2026-05-06T17:18:51.783Z

Link: CVE-2026-44489

Vulnrichment

Updated: 2026-06-11T18:16:13.652Z

NVD

Status : Analyzed

Published: 2026-06-11T17:16:32.883

Modified: 2026-06-15T16:13:19.890

Link: CVE-2026-44489

Redhat

Severity : Low

Publid Date: 2026-06-11T15:30:44Z

Links: CVE-2026-44489 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object