CVE-2026-42042: CVE-2026-42042: XSRF Token Cross-Origin Leakage via Prototype Pollution in Axios

1 / 2

CVE-2026-42042: CVE-2026-42042: XSRF Token Cross-Origin Leakage via Prototype Pollution in Axios

DEV Community·CVE Reports·28 days ago

#hxAwR7oR

#security #cve #cybersecurity #software #axios #prototype

Reading 0:00

15s threshold

CVE-2026-42042: XSRF Token Cross-Origin Leakage via Prototype Pollution in Axios Vulnerability ID: CVE-2026-42042 CVSS Score: 5.4 Published: 2026-05-05 Axios, a widely used JavaScript HTTP client, contains a vulnerability where loose truthiness checks on the withXSRFToken configuration property permit Cross-Site Request Forgery (XSRF) token leakage. This occurs when an application is vulnerable to Prototype Pollution, allowing attackers to short-circuit same-origin validation checks and extract anti-CSRF tokens to cross-origin servers. TL;DR A vulnerability in Axios allows XSRF tokens to leak to cross-origin servers. This occurs when loose boolean evaluation in the configuration logic is bypassed via an external Prototype Pollution gadget.…

Continue reading — create a free account

Join HashtagPLUS to read full articles, follow hashtags, vote, and join the conversation.

Create free account Log in

Menu

CVE-2026-42042: CVE-2026-42042: XSRF Token Cross-Origin Leakage via Prototype Pollution in Axios