CVE-2026-42035 — HTTP Request/Response Splitting in Axios
Severity
7.4HIGHNVD
EPSS
0.1%
top 80.51%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedApr 24
Latest updateApr 28
Description
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter (lib/adapters/http.js) that allows an attacker to inject arbitrary HTTP headers into outgoing requests. The vulnerability exploits duck-type checking of the data payload, where if Object.prototype is polluted with getHeaders, append, pipe, on, once, and Symbol.toStringTag, Axios misidentifies any plain object payload as a FormData instance an…
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.2
Affected Packages59 packages
🔴Vulnerability Details
1VulDB▶
Axios up to 0.31.0/1.15.0 lib/adapters/http.js getHeaders response splitting (GHSA-6chq-wfr3-2hj9)↗2026-04-24
📋Vendor Advisories
1💬Community
14Bugzilla▶
CVE-2026-42035 ansible-collection-awx-awx: Axios: Arbitrary HTTP header injection via prototype pollution [epel-all]↗2026-04-28
Bugzilla▶
CVE-2026-42035 magicmirror: Axios: Arbitrary HTTP header injection via prototype pollution [fedora-all]↗2026-04-28
Bugzilla▶
CVE-2026-42035 oh-my-posh: Axios: Arbitrary HTTP header injection via prototype pollution [fedora-all]↗2026-04-28
Bugzilla▶
CVE-2026-42035 nextcloud: Axios: Arbitrary HTTP header injection via prototype pollution [epel-all]↗2026-04-28
Bugzilla▶
CVE-2026-42035 h3: Axios: Arbitrary HTTP header injection via prototype pollution [fedora-all]↗2026-04-28