CVE-2026-40175

MEDIUM LAB

Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain

Title source: cna

Description

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.3.1, the Axios library is vulnerable to a specific "Gadget" attack chain that allows Prototype Pollution in any third-party dependency to be escalated into Remote Code Execution (RCE) or Full Cloud Compromise (via AWS IMDSv2 bypass). This vulnerability is fixed in 1.15.0 and 0.3.1.

Exploits (5)

nomisec WORKING POC
by pjt3591oo · poc
https://github.com/pjt3591oo/CVE-2026-40175-poc
nomisec WRITEUP
by LeeKangHyun · poc
https://github.com/LeeKangHyun/axios-security-guide
nomisec SCANNER
by surri · poc
https://github.com/surri/audit-axios
nomisec WRITEUP
by 0xBlackash · poc
https://github.com/0xBlackash/CVE-2026-40175

References (8)

Scores

CVSS v3 4.8
EPSS 0.0003
EPSS Percentile 7.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Lab Environment

COMMUNITY
Community Lab
docker pull nginx:alpine
+2 more repos

Details

CWE
CWE-113 CWE-444 CWE-918
Status published
Products (4)
axios/axios < 1.15.0 (2 CPE variants)
axios/axios < 0.31.0
axios/axios >= 1.0.0, < 1.15.0
npm/axios 0 - 1.15.0npm
Published Apr 10, 2026
Tracked Since Apr 11, 2026