CVE-2026-42044: CVE-2026-42044: Invisible JSON Response Tampering via Prototype Pollution Gadget …

1 / 2

CVE-2026-42044: CVE-2026-42044: Invisible JSON Response Tampering via Prototype Pollution Gadget in Axios

DEV Community·CVE Reports·28 days ago

#6eiXoF3S

#exploit #commit #security #cve #axios #prototype

Reading 0:00

15s threshold

CVE-2026-42044: Invisible JSON Response Tampering via Prototype Pollution Gadget in Axios Vulnerability ID: CVE-2026-42044 CVSS Score: 6.5 Published: 2026-05-05 Axios versions 1.0.0 through 1.15.1 contain a prototype pollution gadget in the JSON response parsing logic. By exploiting a prerequisite prototype pollution vulnerability, an attacker can manipulate the parseReviver option to intercept, modify, or exfiltrate JSON data during deserialization. TL;DR A prototype pollution gadget in Axios's transformResponse function allows attackers to tamper with JSON responses. Upgrading to 1.15.2 or explicitly defining parseReviver in configuration mitigates the risk.…

Continue reading — create a free account

Join HashtagPLUS to read full articles, follow hashtags, vote, and join the conversation.

Create free account Log in

Menu

CVE-2026-42044: CVE-2026-42044: Invisible JSON Response Tampering via Prototype Pollution Gadget in Axios