CVE Details
| CVE ID |
Severity |
Affected Package |
Installed Version |
Fixed Version |
Date Published |
Date of Scan |
| CVE-2026-42044 |
MEDIUM |
axios |
1.15.0 |
1.15.2 |
2026-04-24T18:16:31.613Z |
2026-05-09T10:18:28.738791675Z |
Affected Docker Images
| Image Name |
SHA |
public.ecr.aws/lambda/nodejs:latest |
public.ecr.aws/lambda/nodejs@sha256:cd0287bce1f8c0a87e85950019ecd09daae832e2510e87a5385737a7ff5dc99a |
public.ecr.aws/lambda/nodejs:24 |
public.ecr.aws/lambda/nodejs@sha256:33ee7117be4cefdbdbe8d2d6c6fe58b21d52d21d702eed1df68dfe809cd1b7f9 |
public.ecr.aws/lambda/nodejs:22 |
public.ecr.aws/lambda/nodejs@sha256:cd0287bce1f8c0a87e85950019ecd09daae832e2510e87a5385737a7ff5dc99a |
Description
Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.2, he Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into surgical, invisible modification of all JSON API responses — including privilege escalation, balance manipulation, and authorization bypass. The default transformResponse function at lib/defaults/index.js:124 calls JSON.parse(data, this.parseReviver), where this is the merged config object. Because parseReviver is not present in Axios defaults, not validated by assertOptions, and not subject to any constraints, a polluted Object.prototype.parseReviver function is called for every key-value pair in every JSON response, allowing the attacker to selectively modify individual values while leaving the rest of the response intact. This vulnerability is fixed in 1.15.2.
Remediation Steps
- Update the affected package
axios from version 1.15.0 to 1.15.2.
About this issue
- This issue may not contain all the information about the CVE nor the images it affects.
- This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
- For more, visit Lambda Watchdog.
- This issue was created automatically by Lambda Watchdog.
CVE Details
MEDIUMaxios1.15.01.15.22026-04-24T18:16:31.613Z2026-05-09T10:18:28.738791675ZAffected Docker Images
public.ecr.aws/lambda/nodejs:latestpublic.ecr.aws/lambda/nodejs@sha256:cd0287bce1f8c0a87e85950019ecd09daae832e2510e87a5385737a7ff5dc99apublic.ecr.aws/lambda/nodejs:24public.ecr.aws/lambda/nodejs@sha256:33ee7117be4cefdbdbe8d2d6c6fe58b21d52d21d702eed1df68dfe809cd1b7f9public.ecr.aws/lambda/nodejs:22public.ecr.aws/lambda/nodejs@sha256:cd0287bce1f8c0a87e85950019ecd09daae832e2510e87a5385737a7ff5dc99aDescription
Remediation Steps
axiosfrom version1.15.0to1.15.2.About this issue