fix(parseHeaders): prevent prototype pollution using Object.create(null) by Mridul012 · Pull Request #7538 · axios/axios · GitHub
Skip to content

fix(parseHeaders): prevent prototype pollution using Object.create(null)#7538

Open
Mridul012 wants to merge 1 commit into
axios:v1.xfrom
Mridul012:fix-parseheaders-prototype-v2
Open

fix(parseHeaders): prevent prototype pollution using Object.create(null)#7538
Mridul012 wants to merge 1 commit into
axios:v1.xfrom
Mridul012:fix-parseheaders-prototype-v2

Conversation

@Mridul012

@Mridul012 Mridul012 commented Mar 20, 2026
edited by cubic-dev-ai Bot
Loading

Copy link
Copy Markdown

Summary

Fixes a potential prototype pollution issue in parseHeaders by replacing a plain object {} with Object.create(null).

Problem

The current implementation initializes the parsed headers object using:

const parsed = {};

This creates an object with a prototype (Object.prototype). If a malicious or malformed header includes keys like __proto__ or constructor, it could modify the prototype chain and lead to unexpected behavior.

Fix

Initialize the object without a prototype:

const parsed = Object.create(null);
Impact

Prevents prototype pollution

Ensures safer handling of untrusted header input

No breaking changes

Verification

Verified locally

No changes in normal header parsing behavior


<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Prevent prototype pollution in `parseHeaders` by initializing the headers map with `Object.create(null)` instead of `{}`. This secures parsing of untrusted header keys without changing expected behavior.

## Description

Use this section for review hints, explanations or discussion points.

- Summary of changes
  - Initialize parsed headers with `Object.create(null)` to avoid inherited prototype.
- Reasoning
  - Blocks `__proto__`, `constructor`, and similar keys from mutating `Object.prototype`.
- Additional context
  - Internal-only change; no API or behavior changes for valid headers.

## Docs

- No docs updates needed; behavior and API remain the same.

## Testing

- No tests added in this PR.
- Recommended: add a regression test to ensure headers containing `__proto__`/`constructor` do not modify `Object.prototype` and are treated as plain keys.

<sup>Written for commit 999dbbe367683de9fea6be656638daab501e2238. Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed Mar 20, 2026
View reviewed changes

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 1 file

Confidence score: 5/5

  • Automated review surfaced no issues in the provided summaries.
  • No files require special attention.

nmurrell07 added a commit to nmurrell07/axios that referenced this pull request Mar 23, 2026
@nmurrell07
Fixed prototype pollution vulnerability (issue axios#7538) in axios's…
2574e1c 
… parseHe
@nmurrell07 nmurrell07 mentioned this pull request Mar 23, 2026
Closed
@Mridul012

Mridul012 commented Mar 28, 2026

Copy link
Copy Markdown
Author

@jasonsaayman jasonsaayman added commit::fix type::breaking The PR introduces breaking changes labels Apr 26, 2026
@jasonsaayman jasonsaayman added commit::fix The PR is related to a bugfix and removed commit::fix labels Jun 14, 2026
@jasonsaayman jasonsaayman added the status::blocked This PR or issue is deemed to be blocked label Jun 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@Mridul012 Mridul012

Labels

commit::fix The PR is related to a bugfix status::blocked This PR or issue is deemed to be blocked type::breaking The PR introduces breaking changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Mridul012 @jasonsaayman