Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[Vulnerability] axios/axios: Prototype Pollution and SSRF #411

Open
Open
[Vulnerability] axios/axios: Prototype Pollution and SSRF#411
Labels
severity:highvulnerability

Description

@github-actions
github-actions
bot
opened on Apr 22, 2026

Potential Security Vulnerability Detected

Repository: axios/axios
Commit: de1a810
Author: Jay
Date: 2026-04-21T18:34:54Z

Commit Message

chore: update changelog and packages (#10790)

* chore: update all pacakges and changelog

* chore: update all packages and remove anything un-needed

Pull Request

PR: #10790 - chore: update changelog and packages
Labels: priority::medium, commit::chore

Description:

<!-- This is an auto-generated description by cubic. -->

Summary by cubic

Updates the changelog to v1.15.2 and refreshes dependencies in the root, docs, and ESM test fixtures to align with the release. No runtime/source code changes; maintenance only.

Description

  • Summary of changes
    • Added v1.15.2 notes to CHANGELOG (security hardening, allowedSocketPaths, keep‑alive leak fix).
    • Bumped follow-redirects to ^1.16.0; updated dev tools (vitest 4.1.5, @vitest/browser 4.1.5,...

Analysis

Vulnerability Type: Prototype Pollution and SSRF
Severity: High

Description

This update patches prototype pollution vulnerabilities in the Node HTTP adapter by hardening config object handling to avoid using polluted prototype properties. It also mitigates Server-Side Request Forgery (SSRF) attacks via Unix domain sockets by rejecting invalid socketPath values and introducing an allowlist (allowedSocketPaths) for permitted socket paths. Additionally, a memory leak in keep-alive socket handling was fixed, improving reliability under concurrent connections.

Affected Code

/* Vulnerable areas involved reading user-controlled config properties from objects that inherit from Object.prototype, allowing prototype pollution to affect request parameters such as auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser */

// Example vulnerable code snippet before patch:

function mergeConfig(defaults, config) {
  return Object.assign({}, defaults, config); // could be polluted via prototype properties
}

// socketPath value accepted without type validation or allowlist enforcement

Proof of Concept

1. Prototype Pollution:
// Malicious payload to inject prototype pollution
const pollutedConfig = JSON.parse('{"__proto__": {"socketPath": "/malicious/socket"}}');

// Using axios with polluted config causes requests to use attacker-controlled socketPath
axios.request(pollutedConfig); // request is sent via attacker socket

2. SSRF via socketPath:
// Without allowlist, attacker can provide socketPath to internal services
axios.request({ socketPath: '/var/run/docker.sock' }); // access internal docker API

// After patch, passing socketPath not in allowedSocketPaths rejects request
axios.request({ socketPath: '/var/run/docker.sock', allowedSocketPaths: ['/tmp/allowed.sock'] }); // throws AxiosError ERR_BAD_OPTION_VALUE

This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-04-22T00:01:14.914Z

Metadata

Metadata

Assignees

No one assigned

    Labels

    severity:highvulnerability

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions