Description
Axios is a promise based HTTP client for the browser and Node.js. Versions prior to 1.15.0 and 0.3.1 are vulnerable to a specific gadget-style attack chain in which prototype pollution in a third-party dependency may be leveraged to inject unsanitized header values into outbound requests. This vulnerability is fixed in 1.15.0 and 0.3.1.
Published: 2026-04-10
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Axios, a widely used promise‑based HTTP client, has a prototype‑pollution vulnerability that allows an attacker to inject unsanitized header values into outbound requests. The flaw can be exploited through a chain of malicious third‑party dependencies, enabling data to be sent from a cloud environment via unsanitized headers. This vulnerability is a form of cloud metadata exfiltration and could expose sensitive information such as instance metadata or credentials that are only available within the cloud environment. It ends up affecting confidentiality by allowing attackers to read data that is meant to remain internal to the cloud platform.

Affected Systems

All versions of Axios before v1.15.0 for Node.js and before v0.3.1 for browsers are affected. These versions are vulnerable to the header injection chain. Updating to v1.15.0 or v0.3.1 removes the vulnerable code paths and prevents the prototype‑pollution chain from executing.

Risk and Exploitability

The CVSS score of 4.8 indicates the flaw is moderately severe, and its EPSS score of less than 1% suggests that exploitation is currently uncommon. The vulnerability is not listed in the CISA KEV catalog. The attack vector likely involves inserting malicious code into a third‑party dependency that is pulled into an Axios request. Once the chain is triggered, the attacker can supply arbitrary header names and values, allowing data to be sent to external endpoints or pulled from the cloud metadata service.

Generated by OpenCVE AI on May 20, 2026 at 02:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Axios to the fixed releases v1.15.0 or v0.3.1.
  • Audit and lock all third‑party dependencies to known non‑vulnerable versions to prevent prototype pollution.
  • Review any custom header configuration in Axios and validate or sanitize header values before sending.

Generated by OpenCVE AI on May 20, 2026 at 02:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fvcv-3m26-pcqx Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain
History

Wed, 20 May 2026 01:30:00 +0000

Type Values Removed Values Added
Description Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.3.1, the Axios library is vulnerable to a specific "Gadget" attack chain that allows Prototype Pollution in any third-party dependency to be escalated into Remote Code Execution (RCE) or Full Cloud Compromise (via AWS IMDSv2 bypass). This vulnerability is fixed in 1.15.0 and 0.3.1. Axios is a promise based HTTP client for the browser and Node.js. Versions prior to 1.15.0 and 0.3.1 are vulnerable to a specific gadget-style attack chain in which prototype pollution in a third-party dependency may be leveraged to inject unsanitized header values into outbound requests. This vulnerability is fixed in 1.15.0 and 0.3.1.

Tue, 12 May 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 13:30:00 +0000

Type Values Removed Values Added
References

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:axios:axios:*:*:*:*:*:node.js:*:*

Thu, 16 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

 cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Tue, 14 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Description Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0, the Axios library is vulnerable to a specific "Gadget" attack chain that allows Prototype Pollution in any third-party dependency to be escalated into Remote Code Execution (RCE) or Full Cloud Compromise (via AWS IMDSv2 bypass). This vulnerability is fixed in 1.15.0. Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.3.1, the Axios library is vulnerable to a specific "Gadget" attack chain that allows Prototype Pollution in any third-party dependency to be escalated into Remote Code Execution (RCE) or Full Cloud Compromise (via AWS IMDSv2 bypass). This vulnerability is fixed in 1.15.0 and 0.3.1.
References

Tue, 14 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-915
References
Metrics threat_severity

None

 threat_severity

Critical

Mon, 13 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Axios
Axios axios
Vendors & Products Axios
Axios axios

Mon, 13 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
References

Fri, 10 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
Description Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0, the Axios library is vulnerable to a specific "Gadget" attack chain that allows Prototype Pollution in any third-party dependency to be escalated into Remote Code Execution (RCE) or Full Cloud Compromise (via AWS IMDSv2 bypass). This vulnerability is fixed in 1.15.0.
Title Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain
Weaknesses CWE-113
CWE-444
CWE-918
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Axios Axios
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-20T00:26:34.868Z

Reserved: 2026-04-09T20:59:17.618Z

Link: CVE-2026-40175

cve-icon Vulnrichment

Updated: 2026-04-13T09:32:22.149Z

cve-icon NVD

Status : Modified

Published: 2026-04-10T20:16:22.800

Modified: 2026-05-20T02:16:35.730

Link: CVE-2026-40175

cve-icon Redhat

Severity : Critical

Publid Date: 2026-04-10T19:23:52Z

Links: CVE-2026-40175 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T03:00:12Z

Weaknesses