CVE-2026-40175

MEDIUM LAB

Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2026-40175. PoCs published by adminlove520, pjt3591oo, LeeKangHyun.

AI-analyzed exploit summary This repository contains a functional proof-of-concept for CVE-2026-40175, demonstrating CRLF injection in Axios HTTP client leading to HTTP request smuggling and SSRF via nginx open proxy. It includes detailed technical analysis, exploit code, and a Docker-based test environment.

Description

Axios is a promise based HTTP client for the browser and Node.js. Versions prior to 1.15.0 and 0.3.1 are vulnerable to a specific gadget-style attack chain in which prototype pollution in a third-party dependency may be leveraged to inject unsanitized header values into outbound requests. This vulnerability is fixed in 1.15.0 and 0.3.1.

Exploits (5)

github WORKING POC 4 stars
by adminlove520 · pythonpoc
https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2026/CVE-2026-40175

This repository contains a functional proof-of-concept for CVE-2026-40175, demonstrating CRLF injection in Axios HTTP client leading to HTTP request smuggling and SSRF via nginx open proxy. It includes detailed technical analysis, exploit code, and a Docker-based test environment.

Classification
Working Poc 95%
Attack Type
Ssrf
Complexity
Moderate
Reliability
Reliable
Target: Axios HTTP client (>=1.0.0 <1.15.0, <0.31.0)
No auth needed
Prerequisites: Node.js environment · Docker · nginx with open proxy configuration · custom adapter for raw socket usage
devstral-2 · analyzed May 09, 2026 Full analysis →
nomisec WORKING POC
by pjt3591oo · poc
https://github.com/pjt3591oo/CVE-2026-40175-poc

This repository contains a functional proof-of-concept for CVE-2026-40175, demonstrating CRLF injection in Axios HTTP client leading to HTTP request smuggling and SSRF via nginx open proxy. It includes detailed technical analysis, root cause, and multiple test scenarios.

Classification
Working Poc 95%
Attack Type
Ssrf
Complexity
Moderate
Reliability
Reliable
Target: Axios HTTP client (>=1.0.0 <1.15.0, <0.31.0)
No auth needed
Prerequisites: Axios vulnerable version · nginx with open proxy configuration · custom adapter for raw socket usage
devstral-2 · analyzed Apr 17, 2026 Full analysis →
nomisec WRITEUP
by LeeKangHyun · poc
https://github.com/LeeKangHyun/axios-security-guide

This repository provides a detailed technical analysis and mitigation guide for CVE-2026-40175, an Axios CRLF injection vulnerability leading to HTTP request smuggling and SSRF. It includes root cause analysis, patching strategies, and code examples for both source-level and runtime defenses.

Classification
Writeup 95%
Attack Type
Ssrf
Complexity
Moderate
Reliability
Reliable
Target: Axios < 1.15.0
No auth needed
Prerequisites: Prototype Pollution or user-controlled header input
devstral-2 · analyzed Apr 15, 2026 Full analysis →
nomisec SCANNER
by surri · poc
https://github.com/surri/audit-axios

This repository contains a Node.js-based scanner tool designed to detect vulnerable versions of the axios library (CVE-2026-40175) in local project directories. It provides interactive and automated patching capabilities but does not include exploit code for the vulnerability itself.

Classification
Scanner 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: axios < 1.15.0
No auth needed
Prerequisites: Local access to project directories · Node.js environment
devstral-2 · analyzed Apr 14, 2026 Full analysis →
nomisec WRITEUP
by 0xBlackash · poc
https://github.com/0xBlackash/CVE-2026-40175

This repository provides a detailed technical analysis of CVE-2026-40175, a critical prototype pollution vulnerability in Axios versions prior to 1.15.0. It explains the escalation to RCE and cloud compromise, includes mitigation steps, and references official sources.

Classification
Writeup 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Axios < 1.15.0
No auth needed
Prerequisites: Prototype pollution primitive from any dependency · Axios usage in the target environment
devstral-2 · analyzed Apr 12, 2026 Full analysis →

References (9)

Core 9
Core References
X_Refsource_Misc x_refsource_misc
https://github.com/axios/axios/releases/tag/v0.31.0
X_Refsource_Misc x_refsource_misc
https://github.com/axios/axios/pull/10688
X_Refsource_Misc x_refsource_misc
https://github.com/axios/axios/pull/10660
X_Refsource_Misc x_refsource_misc
https://github.com/axios/axios/releases/tag/v1.15.0

Scores

CVSS v3 4.8
EPSS 0.0006
EPSS Percentile 20.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Lab Environment

COMMUNITY
Community Lab
docker pull nginx:alpine
+4 more repos

Details

CWE
CWE-113 CWE-444 CWE-918
Status published
Products (5)
axios/axios < 1.15.0 (2 CPE variants)
axios/axios < 0.31.0
axios/axios >= 1.0.0, < 1.15.0
npm/axios 0 - 0.31.0npm
npm/axios 1.0.0 - 1.15.0npm
Published Apr 10, 2026
Tracked Since Apr 11, 2026