Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain

10 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Description

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0, the Axios library is vulnerable to a specific "Gadget" attack chain that allows Prototype Pollution in any third-party dependency to be escalated into Remote Code Execution (RCE) or Full Cloud Compromise (via AWS IMDSv2 bypass). This vulnerability is fixed in 1.15.0.

AI Analysis

Prototype Pollution vulnerability in Axios library allowing Remote Code Execution (RCE) or Full Cloud Compromise via AWS IMDSv2 bypass

Basic Information

ID CVE-2026-40175

Source GitHub_M

Published Apr 10, 2026 at 19:23

Affected Product

Vendor axios

Product axios

Version < 1.15.0

Affected Versions axios axios < 1.15.0

CWE Classification

CWE-113 CWE-444 CWE-918

AI Assessment

AI Score 10 / 10

AI Severity Critical

Vendor Axios

Product Axios HTTP Client

Version < 1.15.0

References

{
    "lastseen": "",
    "description": "Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0, the Axios library is vulnerable to a specific \"Gadget\" attack chain that allows Prototype Pollution in any third-party dependency to be escalated into Remote Code Execution (RCE) or Full Cloud Compromise (via AWS IMDSv2 bypass). This vulnerability is fixed in 1.15.0.",
    "published": "2026-04-10T19:23:52.285Z",
    "modified": "2026-04-10T19:23:52.285Z",
    "type": "cve",
    "title": "Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain",
    "source": "GitHub_M",
    "references": "https://github.com/axios/axios/security/advisories/GHSA-fvcv-3m26-pcqx\nhttps://github.com/axios/axios/pull/10660\nhttps://github.com/axios/axios/commit/363185461b90b1b78845dc8a99a1f103d9b122a1\nhttps://github.com/axios/axios/releases/tag/v1.15.0",
    "id": "CVE-2026-40175",
    "bulletinFamily": "",
    "cwe": [
        "CWE-113",
        "CWE-444",
        "CWE-918"
    ],
    "cvelist": null,
    "sourceData": "axios axios < 1.15.0",
    "sourceHref": "",
    "cvss": {
        "score": 10,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "axios",
    "version": "< 1.15.0",
    "vendor": "axios",
    "ai_description": "Prototype Pollution vulnerability in Axios library allowing Remote Code Execution (RCE) or Full Cloud Compromise via AWS IMDSv2 bypass",
    "ai_severity": "Critical",
    "ai_vendor": "Axios",
    "ai_product": "Axios HTTP Client",
    "ai_version": "< 1.15.0",
    "ai_score": 10
}

Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain_CVE-2026-40175