CVE-2026-42042Permissive List of Allowed Inputs in Axios

CWE-183Permissive List of Allowed InputsCWE-201Sensitive Info Insertion into Sent DataCWE-1025Comparison Using Wrong Factors4 documents4 sources
Severity
5.4MEDIUMNVD
EPSS
0.0%
top 90.83%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
58
Axios3scale-amp2 System-rhel73scale-amp2 System-rhel8+55 more
Timeline
PublishedApr 24

Description

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library's XSRF token protection logic uses JavaScript truthy/falsy semantics instead of strict boolean comparison for the withXSRFToken config property. When this property is set to any truthy non-boolean value (via prototype pollution or misconfiguration), the same-origin check (isURLSameOrigin) is short-circuited, causing XSRF tokens to be sent to all request targets including cross-origin s

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages59 packages

CVEListV5axios/axios< 0.31.1+1
Red Hataxios/axios
Red Hatboost/boost
Red Hatgrafana/grafana

🔴Vulnerability Details

1
VulDB
Axios up to 0.31.0/1.15.0 permissive list of allowed inputs (GHSA-xx6v-rp6x-q39c)2026-04-24

📋Vendor Advisories

1
Red Hat
axios: Axios: XSRF token bypass leading to information disclosure2026-04-24

💬Community

1
Bugzilla
CVE-2026-42042 axios: Axios: XSRF token bypass leading to information disclosure2026-04-24
CVE-2026-42042 — Permissive List of Allowed Inputs | cvebase