CVE-2026-40175: Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain
(updated )
The Axios library is vulnerable to a specific gadget-style attack chain in which prototype pollution in a third-party dependency may be leveraged to inject unsanitized header values into outbound requests.
Axios can be used as a gadget after pollution occurs elsewhere because header values merged from attacker-controlled prototype properties are not sanitized for CRLF (\r\n) characters before being written to the request. In affected deployments, this may enable limited request manipulation or metadata access as part of a higher-complexity exploit chain.
Severity: Moderate (CVSS 3.1 Base Score: 4.8)
Affected Versions: All versions (v0.x - v1.x)
Vulnerable Component: lib/adapters/http.js (Header Processing)
References
- cert-portal.siemens.com/productcert/html/ssa-876049.html
- github.com/advisories/GHSA-fvcv-3m26-pcqx
- github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c
- github.com/axios/axios/commit/363185461b90b1b78845dc8a99a1f103d9b122a1
- github.com/axios/axios/pull/10660
- github.com/axios/axios/pull/10660
- github.com/axios/axios/pull/10688
- github.com/axios/axios/releases/tag/v0.31.0
- github.com/axios/axios/releases/tag/v1.15.0
- github.com/axios/axios/security/advisories/GHSA-fvcv-3m26-pcqx
- nvd.nist.gov/vuln/detail/CVE-2026-40175
Code Behaviors & Features
Detect and mitigate CVE-2026-40175 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →