CVE-2026-42041 (MEDIUM): detected in Lambda Docker Images.

[the-lambda-watchdog]

CVE Details

CVE ID	Severity	Affected Package	Installed Version	Fixed Version	Date Published	Date of Scan
CVE-2026-42041	MEDIUM	axios	1.15.0	1.15.1, 0.31.1	2026-04-24T18:16:31.133Z	2026-05-08T10:18:20.600877578Z

---

Affected Docker Images

Image Name	SHA
public.ecr.aws/lambda/nodejs:latest	public.ecr.aws/lambda/nodejs@sha256:cd0287bce1f8c0a87e85950019ecd09daae832e2510e87a5385737a7ff5dc99a
public.ecr.aws/lambda/nodejs:24	public.ecr.aws/lambda/nodejs@sha256:33ee7117be4cefdbdbe8d2d6c6fe58b21d52d21d702eed1df68dfe809cd1b7f9
public.ecr.aws/lambda/nodejs:22	public.ecr.aws/lambda/nodejs@sha256:cd0287bce1f8c0a87e85950019ecd09daae832e2510e87a5385737a7ff5dc99a

---

Description

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution to silently suppress all HTTP error responses (401, 403, 500, etc.), causing them to be treated as successful responses. This completely bypasses application-level authentication and error handling. The root cause is that validateStatus is the only config property using the mergeDirectKeys merge strategy, which uses JavaScript's in operator — an operator that inherently traverses the prototype chain. When Object.prototype.validateStatus is polluted with () => true, all HTTP status codes are accepted as success. This vulnerability is fixed in 1.15.1 and 0.31.1.

---

Remediation Steps

• Update the affected package axios from version 1.15.0 to 1.15.1, 0.31.1.

About this issue

• This issue may not contain all the information about the CVE nor the images it affects.
• This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
• For more, visit Lambda Watchdog.
• This issue was created automatically by Lambda Watchdog.