CVE-2026-40175: Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain
(updated )
The Axios library is vulnerable to a specific “Gadget” attack chain that allows Prototype Pollution in any third-party dependency to be escalated into Remote Code Execution (RCE) or Full Cloud Compromise (via AWS IMDSv2 bypass).
While Axios patches exist for preventing check pollution, the library remains vulnerable to being used as a gadget when pollution occurs elsewhere. This is due to a lack of HTTP Header Sanitization (CWE-113) combined with default SSRF capabilities.
Severity: Critical (CVSS 9.9)
Affected Versions: All versions (v0.x - v1.x)
Vulnerable Component: lib/adapters/http.js (Header Processing)
References
- github.com/advisories/GHSA-fvcv-3m26-pcqx
- github.com/axios/axios
- github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c
- github.com/axios/axios/commit/363185461b90b1b78845dc8a99a1f103d9b122a1
- github.com/axios/axios/pull/10660
- github.com/axios/axios/pull/10660
- github.com/axios/axios/pull/10688
- github.com/axios/axios/releases/tag/v0.31.0
- github.com/axios/axios/releases/tag/v1.15.0
- github.com/axios/axios/security/advisories/GHSA-fvcv-3m26-pcqx
- nvd.nist.gov/vuln/detail/CVE-2026-40175
Code Behaviors & Features
Detect and mitigate CVE-2026-40175 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →