CVE Details
| CVE ID |
Severity |
Affected Package |
Installed Version |
Fixed Version |
Date Published |
Date of Scan |
| CVE-2026-44490 |
MEDIUM |
axios |
1.15.2 |
1.16.0, 0.32.0 |
2026-06-11T17:16:33.027Z |
2026-06-12T10:18:16.790052646Z |
Affected Docker Images
| Image Name |
SHA |
public.ecr.aws/lambda/nodejs:latest |
public.ecr.aws/lambda/nodejs@sha256:5fc0a885aec5f7af983d873496774cc8151a64b4b0be567b2c5707b0441c4f63 |
public.ecr.aws/lambda/nodejs:24 |
public.ecr.aws/lambda/nodejs@sha256:dbb877d56e710380d86a0ad9ab48a53ffa0977cbabebd6ae0db366a4cc88b20e |
public.ecr.aws/lambda/nodejs:22 |
public.ecr.aws/lambda/nodejs@sha256:5fc0a885aec5f7af983d873496774cc8151a64b4b0be567b2c5707b0441c4f63 |
Description
Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, axios exposes two read-side prototype-pollution gadgets. When Object.prototype is polluted by an upstream dependency in the same process (e.g. lodash _.merge / CVE-2018-16487), axios silently picks up the polluted values. (1) lib/utils.js line 406 builds merge()'s accumulator as result = {}, so result[targetKey] (line 414) walks Object.prototype and the polluted bucket's own keys are copied into the merged headers and ride out on the wire. (2) lib/core/mergeConfig.js line 26 builds the hasOwnProperty descriptor as a plain-object literal. Object.defineProperty reads descriptor.get/descriptor.set via the prototype chain, so a polluted Object.prototype.get or Object.prototype.set makes the call throw TypeError synchronously on every axios request. This vulnerability is fixed in 0.32.0 and 1.16.0.
Remediation Steps
- Update the affected package
axios from version 1.15.2 to 1.16.0, 0.32.0.
About this issue
- This issue may not contain all the information about the CVE nor the images it affects.
- This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
- For more, visit Lambda Watchdog.
- This issue was created automatically by Lambda Watchdog.
CVE Details
MEDIUMaxios1.15.21.16.0, 0.32.02026-06-11T17:16:33.027Z2026-06-12T10:18:16.790052646ZAffected Docker Images
public.ecr.aws/lambda/nodejs:latestpublic.ecr.aws/lambda/nodejs@sha256:5fc0a885aec5f7af983d873496774cc8151a64b4b0be567b2c5707b0441c4f63public.ecr.aws/lambda/nodejs:24public.ecr.aws/lambda/nodejs@sha256:dbb877d56e710380d86a0ad9ab48a53ffa0977cbabebd6ae0db366a4cc88b20epublic.ecr.aws/lambda/nodejs:22public.ecr.aws/lambda/nodejs@sha256:5fc0a885aec5f7af983d873496774cc8151a64b4b0be567b2c5707b0441c4f63Description
Remediation Steps
axiosfrom version1.15.2to1.16.0, 0.32.0.About this issue