Potential Security Vulnerability Detected
Repository: axios/axios
Commit: 78e8dcf
Author: TomTensor
Date: 2026-05-04T19:31:02Z
Commit Message
fix(security): defense-in-depth against already-polluted Object.prototype in formDataToJSON (#7413)
* fix(security): harden prototype pollution protection in formDataToJSON
Replace falsy check with hasOwnProp in the intermediate-path branch of
formDataToJSON's buildPath to prevent write-through into inherited objects.
Without this patch, if Object.prototype is already polluted (e.g. via a
third-party library or earlier vulnerability), user-supplied FormData
paths like 'injected.hijack' traverse the inherited object and mutate
Object.prototype in place. With hasOwnProp, the inherited slot is
shadowed by a new own property, keeping writes local to the result.
This is defense-in-depth: the existing __proto__ guard blocks direct
prototype injection, while this change prevents exploitation of an
already-polluted prototype chain.
Closes #7209
* test(security): use defineProperty + toBe in prototype-pollution regression test
---------
Co-authored-by: tommyhgunz14 <tommyhgunz14@users.noreply.github.com>
Co-authored-by: Jay <jasonsaayman@gmail.com>
Pull Request
PR: #7413 - fix(security): defense-in-depth against already-polluted Object.prototype in formDataToJSON
Labels: priority::medium, commit::fix, status::changes-requested, status::needs-rebase
Description:
Summary
Replace the falsy check with hasOwnProp in the intermediate-path branch of formDataToJSON's buildPath to prevent write-through into inherited objects.
Problem
If Object.prototype is already polluted (e.g. via a third-party library or an earlier vulnerability), user-supplied FormData paths like injected.hijack can traverse the inherited object and mutate Object.prototype in place. The original check:
if (!target[name] || !utils.isObject(target[name]))
follows the prototype chain ...
Analysis
Vulnerability Type: Prototype Pollution
Severity: Medium
Description
The original formDataToJSON function allowed writes to inherited properties on Object.prototype if those properties were already polluted by some prior action. This could enable attackers to tamper with global objects by supplying FormData keys like 'injected.hijack', resulting in unexpected prototype mutation and potentially leading to security issues. The patch replaces a falsy value check with a hasOwnProperty check, preventing writes to inherited prototype properties and limiting mutations to the local object only.
Affected Code
if (!target[name] || !utils.isObject(target[name])) {
target[name] = [];
}
Proof of Concept
Object.defineProperty(Object.prototype, 'injected', {
value: { hijack: true },
configurable: true,
writable: true
});
const formData = new FormData();
formData.append('injected.hijack', 'STOLEN');
const result = formDataToJSON(formData);
// Before patch: Object.prototype.injected.hijack would be overwritten with 'STOLEN'
// After patch: result.injected.hijack === 'STOLEN', but Object.prototype.injected.hijack remains true
console.log(Object.prototype.injected.hijack); // true (unchanged)
console.log(result.injected.hijack); // 'STOLEN' (local shadowed property)
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-05-05T00:00:58.494Z
Potential Security Vulnerability Detected
Repository: axios/axios
Commit: 78e8dcf
Author: TomTensor
Date: 2026-05-04T19:31:02Z
Commit Message
Pull Request
PR: #7413 - fix(security): defense-in-depth against already-polluted Object.prototype in formDataToJSON
Labels: priority::medium, commit::fix, status::changes-requested, status::needs-rebase
Description:
Summary
Replace the falsy check with hasOwnProp in the intermediate-path branch of formDataToJSON's buildPath to prevent write-through into inherited objects.
Problem
If Object.prototype is already polluted (e.g. via a third-party library or an earlier vulnerability), user-supplied FormData paths like injected.hijack can traverse the inherited object and mutate Object.prototype in place. The original check:
if (!target[name] || !utils.isObject(target[name]))
follows the prototype chain ...
Analysis
Vulnerability Type: Prototype Pollution
Severity: Medium
Description
The original formDataToJSON function allowed writes to inherited properties on Object.prototype if those properties were already polluted by some prior action. This could enable attackers to tamper with global objects by supplying FormData keys like 'injected.hijack', resulting in unexpected prototype mutation and potentially leading to security issues. The patch replaces a falsy value check with a hasOwnProperty check, preventing writes to inherited prototype properties and limiting mutations to the local object only.
Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-05-05T00:00:58.494Z