ANALYSIS · f4721d38· FINISHED 2026-04-19 · PATCHDIFF

axiosv1.14.0 → v1.15.0✓ COMPLETED

Files227

Vulnerable38

True positives31

CVE matched1

1 CVE article ready PatchLeaks generated full security writeups for the matched CVEs · one per CVE, with affected files linked

CVE-2026-40175

FILTERS 0

SEARCH

STATUS

JUDGE

CVE MATCH

EXTENSION

CWE

OPTIONS

Hide “No vulnerability” Hide unjudged

SCOPE

All 227 CVE 1 Vuln 38

SORT

1 files · page 1/1

docs/scripts/process-sponsors.js

AI: 2 vulnerabilities

CVE-2026-40175 2 TP

#%!d(float64=074)

1–1 of 1

⌖

Select a file from the list to inspect its diff and AI analysis.

↑ ↓ to navigate

CVES 1

CVE-2026-40175

Security writeup for CVE-2026-40175

✓ 1 FILE

## The Exploit

Attacker needs only the ability to inject a malicious sponsor record into `process-sponsors.js` during the docs build process.

```bash
node - <<'NODE'
const allSponsorsProcessedData = [
  { slug: 'evil', tier: '__proto__', url: 'javascript:alert(1)' }
];
const activeSponsorsProcessedData = [];

const sponsorsByTier = {};
for (const sponsor of allSponsorsProcessedData) {
  sponsorsByTier[sponsor.tier] ||= [];
}

console.log('poisoned prototype push available:', typeof ({}).push);
console.log('link output:', buildLinks(allSponsorsProcessedData[0].url));
NODE
```

The output shows the bug in action: a plain object now inherits array methods because `sponsor.tier` was `__proto__`, and the link builder returns a `javascript:` URI with tracking parameters appended.

## What the Patch Did

Before:

```js
const buildLinks = (url, bypass = false) => {
  if (bypass) {
    return url;
  }

try {
    const urlObject = new URL(url);

const { searchParams } = urlObject;

searchParams.set('utm_source', 'axios_docs_website');
    searchParams.set('utm_medium', 'website');
    searchParams.set('utm_campaign', 'axios_open_collective_sponsorship');

return urlObject.toString();
  } catch {
    return url;
  }
};

const sponsorsByTier = {};

for (const sponsor of allSponsorsProcessedData) {
  sponsorsByTier[sponsor.tier] ||= [];
  ...
}
```

After:

```js
const buildLinks = (url, bypass = false) => {
  if (bypass) {
    return url;
  }

try {
    const urlObject = new URL(url);

if (!['http:', 'https:'].includes(urlObject.protocol)) {
      return null;
    }

const { searchParams } = urlObject;

searchParams.set('utm_source', 'axios_docs_website');
    searchParams.set('utm_medium', 'website');
    searchParams.set('utm_campaign', 'axios_open_collective_sponsorship');

return urlObject.toString();
  } catch {
    return null;
  }
};

const sponsorsByTier = Object.create(null);

for (const sponsor of allSponsorsProcessedData) {
  sponsorsByTier[sponsor.tier] ||= [];
  ...
}
```

The patch added two precise controls: a protocol whitelist for parsed URLs, and a null-prototype dictionary to prevent attacker-controlled keys from mutating `Object.prototype`.

## Root Cause

The bug combined two failures in `docs/scripts/process-sponsors.js`. First, `buildLinks()` accepted any `url` scheme that `new URL(url)` could parse, so attacker-controlled input like `javascript:alert(1)` survived and was returned as an href candidate. Second, the sponsor grouping code used a plain object literal for `sponsorsByTier` and indexed it with attacker-controlled `sponsor.tier`; a value of `__proto__` crossed the trust boundary and mutated the prototype chain instead of creating an ordinary map entry. This is prototype pollution (CWE-1321) plus insufficient input validation for URL schemes (CWE-20).

## Why It Works

The load-bearing fixes are the protocol check and the `Object.create(null)` line. Without `if (!['http:', 'https:'].includes(urlObject.protocol))`, `javascript:` remains a valid URL object and the helper still returns it, so the URL validation bug is still exploitable. Without `Object.create(null)`, `sponsorsByTier[sponsor.tier] ||= []` on a malicious `__proto__` key would again alter object inheritance. The `return null` changes are the safe failure path needed after introducing the protocol check; they ensure invalid or disallowed URLs are dropped instead of echoed back.

## Hardening Checklist

- Use `Object.create(null)` for maps keyed by external data instead of `{}`.
- Validate `URL.protocol` against a whitelist like `['http:', 'https:']` after parsing with `new URL()`.
- Fail closed: return `null` or throw on parse failures instead of returning the original untrusted string.
- Avoid shorthand object initialization (`obj[key] ||= []`) when `key` can be attacker-controlled; use explicit key checks like `Object.hasOwn(obj, key)` if needed.
- Normalize third-party metadata before template building so fields like `tier` and `url` are constrained to expected values.

## References

- https://nvd.nist.gov/vuln/detail/CVE-2026-40175

CVE CVE-2026-40175

PRODUCT axios

AFFECTED ≤ v1.14.0

FIXED IN v1.15.0

STATUS Generated

Security writeup · CVE-2026-40175

Source files · 1

docs/scripts/process-sponsors.js Linked

↗ NVD