CVE-2026-44494 (HIGH): detected in Lambda Docker Images.

[the-lambda-watchdog]

CVE Details

CVE ID	Severity	Affected Package	Installed Version	Fixed Version	Date Published	Date of Scan
CVE-2026-44494	HIGH	axios	1.15.2	1.16.0	2026-06-11T17:16:33.313Z	2026-06-12T10:18:16.790052646Z

---

Affected Docker Images

Image Name	SHA
public.ecr.aws/lambda/nodejs:latest	public.ecr.aws/lambda/nodejs@sha256:5fc0a885aec5f7af983d873496774cc8151a64b4b0be567b2c5707b0441c4f63
public.ecr.aws/lambda/nodejs:24	public.ecr.aws/lambda/nodejs@sha256:dbb877d56e710380d86a0ad9ab48a53ffa0977cbabebd6ae0db366a4cc88b20e
public.ecr.aws/lambda/nodejs:22	public.ecr.aws/lambda/nodejs@sha256:5fc0a885aec5f7af983d873496774cc8151a64b4b0be567b2c5707b0441c4f63

---

Description

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.16.0, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into a full Man-in-the-Middle (MITM) attack — intercepting, reading, and modifying all HTTP traffic including authentication credentials. The HTTP adapter at lib/adapters/http.js:670 reads config.proxy via standard property access, which traverses the prototype chain. Because proxy is not present in Axios defaults, the merged config object has no own proxy property, making it trivially injectable via prototype pollution. Once injected, setProxy() routes all HTTP requests through the attacker's proxy server. This vulnerability is fixed in 1.16.0.

---

Remediation Steps

• Update the affected package axios from version 1.15.2 to 1.16.0.

About this issue

• This issue may not contain all the information about the CVE nor the images it affects.
• This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
• For more, visit Lambda Watchdog.
• This issue was created automatically by Lambda Watchdog.