Axios Prototype Pollution Vulnerability in HTTP Adapter Allowing Credential Injection and Request Hijacking

A prototype pollution vulnerability has been identified in Axios versions 1.0.0 prior to 1.15.2. This issue arises in the HTTP adapter, where five configuration properties are accessed directly without proper safeguards. When 'Object.prototype' is polluted by another dependency, Axios can unintentionally incorporate these contaminated values into outgoing HTTP requests. The vulnerable properties include 'auth', 'baseURL', 'socketPath', 'beforeRedirect', and 'insecureHTTPParser'. This vulnerability can lead to unauthorized credential injection, request redirection to malicious servers, exploitation of internal Unix sockets, execution of arbitrary functions during HTTP redirects, and a weakened HTTP parser that could facilitate request smuggling.

Impact

Exploitation of this vulnerability allows for prototype pollution, which can be leveraged to inject credentials into Axios requests, redirect requests to attacker-controlled servers, exploit internal Unix sockets in Docker environments, execute arbitrary functions during HTTP redirects, and weaken the HTTP parser, enabling request smuggling.

Reproduction

To reproduce this vulnerability, first, create a prototype pollution in 'Object.prototype' that injects values into the 'auth' or 'baseURL' properties. Then, make an Axios HTTP request. The request will be sent to the injected 'baseURL', and the 'Authorization' header will include the injected 'auth' values, demonstrating how the vulnerability can be exploited.

Remediation

Users can upgrade to Axios version 1.15.2 or later, where this vulnerability has been patched.