A high-severity Prototype Pollution gadget in Axios can be leveraged to intercept and modify HTTP traffic, resulting in a full Man-in-the-Middle attack.

This vulnerability is a Prototype Pollution 'Gadget' attack. It allows any Object.prototype pollution existing in the application's dependency tree to be escalated into a full Man-in-the-Middle (MITM) attack, enabling the interception, reading, and modification of HTTP traffic.

With a CVSS score of 8.7, this vulnerability poses a severe threat to the confidentiality and integrity of communications handled by applications using Axios. By enabling MITM attacks, an attacker can steal session cookies, credentials, or sensitive business data transmitted over the network, leading to significant reputational and financial damage.

Immediate Action: Update the Axios library to version 1.16.0 or higher across all development projects and production deployments.

Proactive Monitoring: Monitor network traffic for anomalous patterns or unexpected proxy redirects that could indicate active traffic interception.

Compensating Controls: Audit the application's dependency tree to identify and remediate other sources of Prototype Pollution that could serve as a trigger for this gadget.

Public Exploit Available: true

The ability to escalate prototype pollution into a full MITM attack makes this a high-priority update. Developers should immediately audit their dependency manifests and update Axios to version 1.16.0 to mitigate this critical risk.