Summary

CVE-2026-42264 fix introduced the own() helper to guard config reads from prototype pollution, but socketPath and allowedSocketPaths were missed.

The Bug

// lib/adapters/http.js:886
if (config.socketPath) {  // ❌ reads from prototype chain!
    options.socketPath = config.socketPath;
}

12 other properties use own() (auth, beforeRedirect, data, transport, insecureHTTPParser, etc.) but socketPath does not.

PoC

const axios = require("axios");
Object.prototype.socketPath = "/var/run/docker.sock";
axios.get("http://example.com/api");
// → Request routes to Docker daemon!

Impact

• Docker container escape
• Kubernetes node access
• CI/CD pipeline hijacking

Fix

Use own("socketPath") and own("allowedSocketPaths") instead of direct config.xxx access:

const socketPath = own("socketPath");
if (socketPath) {
    const allowedSocketPaths = own("allowedSocketPaths");
    // ...
}

References

• GHSA-72mg-mc2j-cwf6
• CVE-2026-42264 (original, incomplete fix)
• Closes GHSA-q8qp-cvcw-x6jj (complete fix)

Summary by cubic

Guards socketPath and allowedSocketPaths with own() in the HTTP adapter to close a prototype pollution SSRF vector in axios. Completes CVE-2026-42264 coverage (GHSA-72mg-mc2j-cwf6) by preventing polluted prototypes from redirecting requests to Unix sockets.

• Bug Fixes

  • Read socketPath and allowedSocketPaths via own() in lib/adapters/http.js; keep type checks and allowlist validation on resolved paths.
  • Ignores inherited properties and blocks SSRF to Unix sockets.
  • Docs: Update /docs/ adapter config for socketPath, allowedSocketPaths, and setting an explicit allowlist.

• Testing

  • No tests added. Needed:
    • Inherited socketPath on Object.prototype is ignored.
    • Non-string socketPath throws ERR_BAD_OPTION_VALUE.
    • Requests proceed only when socketPath matches allowedSocketPaths (string and array).
  • Semantic version impact: patch (bug fix, no API/behavior change for valid configs).

^{Written for commit cf258f5. Summary will update on new commits. Review in cubic}