DEBIAN-CVE-2026-42264

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-42264

Import Source

https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-42264.json

JSON Data

https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2026-42264

Upstream

CVE-2026-42264

Published

2026-05-08T04:16:20.313Z

Modified

2026-05-14T09:00:10.444342564Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

[none]

Details

Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties (auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser) in the HTTP adapter are read via direct property access without hasOwnProperty guards, making them exploitable as prototype pollution gadgets. When Object.prototype is polluted by another dependency in the same process, axios silently picks up these polluted values on every outbound HTTP request. This issue has been patched in version 1.15.2.

References

https://security-tracker.debian.org/tracker/CVE-2026-42264

Affected packages

Debian:11 / node-axios

Package

Name: node-axios
Purl: pkg:deb/debian/node-axios?arch=source&distro=bullseye

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.21.1+dfsg-1

0.21.1+dfsg-1+deb11u1

0.21.3+dfsg-1

0.21.4+dfsg-1

0.22.0+dfsg-1

0.23.0+dfsg-1

0.23.0+dfsg-2

0.24.0+dfsg-1

0.25.0+dfsg-1

0.25.0+dfsg-2

0.26.0+dfsg-1

0.26.1+dfsg-1

0.26.1+dfsg-2

0.27.2+dfsg-1

0.27.2+dfsg-2

1.*

1.1.2+dfsg-1

1.1.2+dfsg-2

1.1.2+dfsg-3

1.1.3+dfsg-1

1.1.3+dfsg-2

1.2.0+dfsg-1

1.2.1+dfsg-1

1.5.1+dfsg-1

1.6.2+dfsg-1

1.6.8+dfsg-1

1.6.8+dfsg-2

1.7.3+dfsg-1

1.7.4+dfsg-1

1.7.7+dfsg-1

1.7.9+dfsg-1

1.8.4+dfsg-1

1.11.0+dfsg-1

1.12.1+dfsg-1

1.13.1+dfsg-1

1.13.2+dfsg-1

1.14.0+dfsg-1

1.15.0-1

1.15.2-1

1.16.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-42264.json"

Debian:12 / node-axios

Package

Name: node-axios
Purl: pkg:deb/debian/node-axios?arch=source&distro=bookworm

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.2.1+dfsg-1

1.2.1+dfsg-1+deb12u1

1.5.1+dfsg-1

1.6.2+dfsg-1

1.6.8+dfsg-1

1.6.8+dfsg-2

1.7.3+dfsg-1

1.7.4+dfsg-1

1.7.7+dfsg-1

1.7.9+dfsg-1

1.8.4+dfsg-1

1.11.0+dfsg-1

1.12.1+dfsg-1

1.13.1+dfsg-1

1.13.2+dfsg-1

1.14.0+dfsg-1

1.15.0-1

1.15.2-1

1.16.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-42264.json"

Debian:13 / node-axios

Package

Name: node-axios
Purl: pkg:deb/debian/node-axios?arch=source&distro=trixie

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.8.4+dfsg-1

1.11.0+dfsg-1

1.12.1+dfsg-1

1.13.1+dfsg-1

1.13.2+dfsg-1

1.14.0+dfsg-1

1.15.0-1

1.15.2-1

1.16.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-42264.json"

Debian:14 / node-axios

Package

Name: node-axios
Purl: pkg:deb/debian/node-axios?arch=source&distro=forky

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.15.2-1

Affected versions

1.*

1.8.4+dfsg-1

1.11.0+dfsg-1

1.12.1+dfsg-1

1.13.1+dfsg-1

1.13.2+dfsg-1

1.14.0+dfsg-1

1.15.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-42264.json"