CVE-2026-40175 (CVSS 10): Critical Axios Vulnerability and Exploit Code Disclosed Publicly

A critical security vulnerability in Axios, the ubiquitous promise-based HTTP client for Node.js and the browser, has been revealed to the public. Tracked as CVE-2026-40175 with a maximum CVSS score of 10, the flaw allows attackers to escalate a simple prototype pollution elsewhere in the software stack into a total cloud takeover or Remote Code Execution (RCE).

The full technical details of the vulnerability—including a working Proof of Concept (PoC) exploit—have been officially released.

This vulnerability is uniquely dangerous because it requires Zero Direct User Input to trigger. Instead, Axios acts as a “gadget”—a pre-installed tool that an attacker can weaponize after first compromising a different, seemingly minor library.

The attack chain works like this:

• An attacker exploits a common Prototype Pollution vulnerability in a third-party dependency like qs, minimist, or body-parser.
• Axios automatically picks up these polluted properties during its internal configuration merge.
• Because Axios fails to sanitize these merged values for CRLF (\r\n) characters, the polluted property is transformed into a Request Smuggling payload.

The implications of this “Header Injection Chain” are severe, particularly for cloud-native applications. By bypassing critical security controls, an attacker can achieve:

• Full Cloud Compromise: The exploit is capable of defeating AWS IMDSv2 (Session Tokens), allowing for unrestricted cloud metadata exfiltration.
• Authentication Bypass: Attackers can inject Cookie or Authorization headers to pivot into internal administrative panels.
• Cache Poisoning: Malicious Host headers can be injected to poison shared caches and impact other users.

Given that Axios is isomorphic and runs in both browsers and Node.js environments, the reach of this flaw is vast.

• Affected Versions: All versions prior to 1.13.2.
• Patched Versions: Organizations must upgrade to 1.15.0 or higher.

The most effective fix is to move your project to Axios 1.15.0. The fix involves validating all header values in lib/adapters/http.js and xhr.js to ensure they do not contain invalid CRLF characters.

If you cannot upgrade immediately, the community has shared a patch suggestion to manually throw an error if a header value contains invalid characters:

// In lib/adapters/http.js
utils.forEach(requestHeaders, function setRequestHeader(val, key) {
  if (/[\r\n]/.test(val)) {
    throw new Error('Security: Header value contains invalid characters');
  }
  // ... proceed to set header
});

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Do Son

Do Son (aka Ddos) is a seasoned news reporter, bringing over a decade of expertise to the forefront of cyber security and technology reporting. My work provides timely and insightful analysis of emerging trends and critical developments in these rapidly evolving sectors.