Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
axios Unintended Proxy or Intermediary (Confused Deputy) Vulnerability - CVE-2026-44494 - Vulnerability Database
axios

axios Unintended Proxy or Intermediary (Confused Deputy) Vulnerability - CVE-2026-44494

High
Reference: CVE-2026-44494
NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2026-44494
Title: axios Unintended Proxy or Intermediary (Confused Deputy) Vulnerability
Overview:

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.16.0 the Axios library is vulnerable to a Prototype Pollution quotGadgetquot attack that allows any Object.prototype pollution in the application39s dependency tree to be escalated into a full Man-in-the-Middle (MITM) attack intercepting reading and modifying all HTTP traffic including authentication credentials. The HTTP adapter at lib/adapters/http.js:670 reads config.proxy via standard property access which traverses the prototype chain. Because proxy is not present in Axios defaults the merged config object has no own proxy property making it trivially injectable via prototype pollution. Once injected setProxy() routes all HTTP requests through the attacker39s proxy server. This vulnerability is fixed in 1.16.0.