CVE-2026-42042 — Vulnetix

CVE-2026-42042 PUBLISHED CVSS 5.400000095367432 MEDIUM

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library's XSRF token protection logic uses JavaScript truthy/falsy semantics instead of strict boolean comparison for the withXSRFToken config property. When this property is set to any truthy non-boolean value (via prototype pollution or misconfiguration), the same-origin check (isURLSameOrigin) is short-circuited, causing XSRF tokens to be sent to all request targets including cross-origin servers controlled by an attacker. This vulnerability is fixed in 1.15.1 and 0.31.1.

EPSS 0.05% · 15.2th percentile

Risk Scores

CVSS v3.1

5.400000095367432

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

EPSS Score

0.05%

15.2th percentile

Affected Products

Vendor	Product	Versions
axios	axios	< 0.31.1, *
AWS	config

Timeline

Apr 24, 2026 CVE Published
Apr 25, 2026 EPSS Score
May 6, 2026 Security Advisory
May 18, 2026 EPSS Score
May 19, 2026 EPSS Score
May 20, 2026 EPSS Score
May 21, 2026 EPSS Score
May 22, 2026 EPSS Score
May 23, 2026 EPSS Score
May 24, 2026 EPSS Score
May 25, 2026 EPSS Score
May 26, 2026 EPSS Score

References

https://github.com/axios/axios/security/advisories/GHSA-xx6v-rp6x-q39c url

Open in Interactive Console →