CVE-2026-42043 – axios

CVSS 7.2 IMPORTANT Critical or Zero Day – Immediate Deployment

“HTTP client weaknesses can turn trusted outbound requests into attacker-controlled traffic paths.”

Axios patched three vulnerabilities affecting proxy handling, header injection behavior, and prototype pollution gadget exposure. CVE-2026-42043 has a CVSS score of 7.2, which is High severity. CVE-2026-40175 has a CVSS score of 4.8, which is Medium severity. CVE-2026-42264 has a CVSS score of 7.4, which is High severity.

The vulnerabilities could allow NO_PROXY bypass, unsafe outbound request manipulation, header injection, or polluted configuration values being applied to HTTP requests. Proof-of-concept code has been reported for all three vulnerabilities.

Key Details

Affected Product
Axios Axios
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
CWE Classification
CWE-183
Patch this CVE on all your endpoints in under 5 minutes. First 200 endpoints are free forever, scale as needed.