CVE-2026-42264 (HIGH): detected in Lambda Docker Images.

[the-lambda-watchdog]

CVE Details

CVE ID	Severity	Affected Package	Installed Version	Fixed Version	Date Published	Date of Scan
CVE-2026-42264	HIGH	axios	1.15.0	1.15.2	2026-05-08T04:16:20.313Z	2026-05-08T10:18:20.600877578Z

---

Affected Docker Images

Image Name	SHA
public.ecr.aws/lambda/nodejs:latest	public.ecr.aws/lambda/nodejs@sha256:cd0287bce1f8c0a87e85950019ecd09daae832e2510e87a5385737a7ff5dc99a
public.ecr.aws/lambda/nodejs:24	public.ecr.aws/lambda/nodejs@sha256:33ee7117be4cefdbdbe8d2d6c6fe58b21d52d21d702eed1df68dfe809cd1b7f9
public.ecr.aws/lambda/nodejs:22	public.ecr.aws/lambda/nodejs@sha256:cd0287bce1f8c0a87e85950019ecd09daae832e2510e87a5385737a7ff5dc99a

---

Description

Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties (auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser) in the HTTP adapter are read via direct property access without hasOwnProperty guards, making them exploitable as prototype pollution gadgets. When Object.prototype is polluted by another dependency in the same process, axios silently picks up these polluted values on every outbound HTTP request. This issue has been patched in version 1.15.2.

---

Remediation Steps

• Update the affected package axios from version 1.15.0 to 1.15.2.

About this issue

• This issue may not contain all the information about the CVE nor the images it affects.
• This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
• For more, visit Lambda Watchdog.
• This issue was created automatically by Lambda Watchdog.