-
Type:
Public Security Vulnerability
-
Resolution: Fixed
-
Priority:
High
-
Affects Version/s: 9.4.12, 9.4.13, 9.4.14, 9.4.15, 9.4.16, 10.2.0, 9.4.17, 9.4.18, 10.2.1, 10.3.0, 9.4.19, 10.2.2, 10.2.3, 9.4.20
-
Component/s: None
-
7.4
-
High
-
CVE-2026-42035
-
Atlassian (Internal)
-
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
-
Injection
-
Bitbucket Data Center
This High severity Injection vulnerability was introduced in versions 9.4.12, 10.2.0, and 10.3.0 of Bitbucket Data Center.
This Injection vulnerability, with a CVSS Score of 7.4 and a CVSS Vector of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N allows an unauthenticated attacker to modify the actions taken by a system call which has high impact to confidentiality, high impact to integrity, no impact to availability, and requires no user interaction.
Atlassian recommends that Bitbucket Data Center customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
- Bitbucket Data Center 9.4: Upgrade to a release greater than or equal to 9.4.21
- Bitbucket Data Center 10.2: Upgrade to a release greater than or equal to 10.2.4
- Bitbucket Data Center 10.3: Upgrade to a release greater than or equal to 10.3.1
See the release notes (https://confluence.atlassian.com/bitbucketserver/release-notes). You can download the latest version of Bitbucket Data Center from the download center (https://www.atlassian.com/software/bitbucket/download-archives).
The National Vulnerability Database provides the following description for this vulnerability: Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter (lib/adapters/http.js) that allows an attacker to inject arbitrary HTTP headers into outgoing requests. The vulnerability exploits duck-type checking of the data payload, where if Object.prototype is polluted with getHeaders, append, pipe, on, once, and Symbol.toStringTag, Axios misidentifies any plain object payload as a FormData instance and calls the attacker-controlled getHeaders() function, merging the returned headers into the outgoing request. The vulnerable code resides exclusively in lib/adapters/http.js. The prototype pollution source does not need to originate from Axios itself — any prototype pollution primitive in any dependency in the application's dependency tree is sufficient to trigger this gadget. This vulnerability is fixed in 1.15.1 and 0.31.1.