Skip to content

fix(parseHeaders): prevent prototype pollution using Object.create(null)#7538

Open
Mridul012 wants to merge 1 commit intoaxios:v1.xfrom
Mridul012:fix-parseheaders-prototype-v2
Open

fix(parseHeaders): prevent prototype pollution using Object.create(null)#7538
Mridul012 wants to merge 1 commit intoaxios:v1.xfrom
Mridul012:fix-parseheaders-prototype-v2

Conversation

@Mridul012
Copy link

@Mridul012 Mridul012 commented Mar 20, 2026
edited by cubic-dev-ai bot
Loading

Summary

Fixes a potential prototype pollution issue in parseHeaders by replacing a plain object {} with Object.create(null).

Problem

The current implementation initializes the parsed headers object using:

const parsed = {};

This creates an object with a prototype (Object.prototype). If a malicious or malformed header includes keys like __proto__ or constructor, it could modify the prototype chain and lead to unexpected behavior.

Fix

Initialize the object without a prototype:

const parsed = Object.create(null);
Impact

Prevents prototype pollution

Ensures safer handling of untrusted header input

No breaking changes

Verification

Verified locally

No changes in normal header parsing behavior


<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Prevent prototype pollution in `parseHeaders` by initializing the headers map with `Object.create(null)` instead of `{}`. This secures parsing of untrusted header keys without changing expected behavior.

## Description

Use this section for review hints, explanations or discussion points.

- Summary of changes
  - Initialize parsed headers with `Object.create(null)` to avoid inherited prototype.
- Reasoning
  - Blocks `__proto__`, `constructor`, and similar keys from mutating `Object.prototype`.
- Additional context
  - Internal-only change; no API or behavior changes for valid headers.

## Docs

- No docs updates needed; behavior and API remain the same.

## Testing

- No tests added in this PR.
- Recommended: add a regression test to ensure headers containing `__proto__`/`constructor` do not modify `Object.prototype` and are treated as plain keys.

<sup>Written for commit 999dbbe367683de9fea6be656638daab501e2238. Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Mar 20, 2026
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 1 file

Confidence score: 5/5

  • Automated review surfaced no issues in the provided summaries.
  • No files require special attention.

nmurrell07 added a commit to nmurrell07/axios that referenced this pull request Mar 23, 2026
@nmurrell07
Fixed prototype pollution vulnerability (issue axios#7538) in axios's…
2574e1c 
… parseHe
@nmurrell07 nmurrell07 mentioned this pull request Mar 23, 2026
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Mridul012