CVE-2026-44489 (LOW): detected in Lambda Docker Images.

[the-lambda-watchdog]

CVE Details

CVE ID	Severity	Affected Package	Installed Version	Fixed Version	Date Published	Date of Scan
CVE-2026-44489	LOW	axios	1.15.2	1.16.0	2026-06-11T17:16:32.883Z	2026-06-12T10:18:16.790052646Z

---

Affected Docker Images

Image Name	SHA
public.ecr.aws/lambda/nodejs:latest	public.ecr.aws/lambda/nodejs@sha256:5fc0a885aec5f7af983d873496774cc8151a64b4b0be567b2c5707b0441c4f63
public.ecr.aws/lambda/nodejs:24	public.ecr.aws/lambda/nodejs@sha256:dbb877d56e710380d86a0ad9ab48a53ffa0977cbabebd6ae0db366a4cc88b20e
public.ecr.aws/lambda/nodejs:22	public.ecr.aws/lambda/nodejs@sha256:5fc0a885aec5f7af983d873496774cc8151a64b4b0be567b2c5707b0441c4f63

---

Description

Axios is a promise based HTTP client for the browser and Node.js. From 1.15.2 to before 1.16.0, nested objects created by utils.merge() (e.g., config.proxy) are still constructed as plain {} with Object.prototype in their chain. The setProxy() function at lib/adapters/http.js:209-223 reads proxy.username, proxy.password, and proxy.auth without hasOwnProperty checks. When Object.prototype.username is polluted, setProxy() constructs a Proxy-Authorization header with attacker-controlled credentials and injects it into every proxied HTTP request. This vulnerability is fixed in 1.16.0.

---

Remediation Steps

• Update the affected package axios from version 1.15.2 to 1.16.0.

About this issue

• This issue may not contain all the information about the CVE nor the images it affects.
• This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
• For more, visit Lambda Watchdog.
• This issue was created automatically by Lambda Watchdog.