Description
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.3.1, the Axios library is vulnerable to a specific "Gadget" attack chain that allows Prototype Pollution in any third-party dependency to be escalated into Remote Code Execution (RCE) or Full Cloud Compromise (via AWS IMDSv2 bypass). This vulnerability is fixed in 1.15.0 and 0.3.1.
Published: 2026-04-10
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution and Cloud Metadata Exfiltration
Action: Immediate Patch
AI Analysis

Impact

The CVE description explains that a prototype‑pollution flaw in any third‑party dependency can be escalated through a Gadget chain in Axios, potentially leading to remote code execution or full cloud compromise via an AWS IMDSv2 bypass. The specific code paths involve HTTP header manipulation, suggesting that header injection may be part of the attack, although this is inferred rather than explicitly stated. Based on the listed CWEs—CWE‑113, CWE‑444, CWE‑915, and CWE‑918—the vulnerability allows the attacker to manipulate global objects, inject malicious headers, and possibly execute arbitrary code with the process's privileges. Additionally, the chain bypasses IMDSv2, enabling cloud metadata exfiltration.

Affected Systems

Axios, the popular promise‑based HTTP client for Node.js and browsers, is affected. The library versions before 1.15.0 for Node and before 0.3.1 for browser clients contain the flaw. Updating to 1.15.0 or 0.3.1 removes the vulnerable code paths.

Risk and Exploitability

The CVSS vector scores the issue at 4.8, reflecting a moderate‑impact, remotely exploitable flaw. The EPSS score is below 1%, suggesting that while exploitation is possible, it is not yet widespread. The vulnerability is not listed in the CISA KEV catalog, but its potential for cloud breach and full RCE warrants urgent action. It is inferred that exploitation would likely involve inserting malicious library code that triggers prototype‑polluted libraries and sending crafted headers to execute arbitrary code or bypass IMDSv2.

Generated by OpenCVE AI on April 17, 2026 at 09:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Axios to the latest version (>=1.15.0 for Node.js or >=0.3.1 for browser).
  • Verify that all third‑party dependencies are locked to verified, non‑vulnerable versions and that no prototype‑polluted libraries are installed.
  • Apply the security advisory from the Axios repository and follow the release notes in v1.15.0 and v0.3.1.

Generated by OpenCVE AI on April 17, 2026 at 09:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fvcv-3m26-pcqx Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain
History

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:axios:axios:*:*:*:*:*:node.js:*:*

Thu, 16 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

 cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Tue, 14 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Description Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0, the Axios library is vulnerable to a specific "Gadget" attack chain that allows Prototype Pollution in any third-party dependency to be escalated into Remote Code Execution (RCE) or Full Cloud Compromise (via AWS IMDSv2 bypass). This vulnerability is fixed in 1.15.0. Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.3.1, the Axios library is vulnerable to a specific "Gadget" attack chain that allows Prototype Pollution in any third-party dependency to be escalated into Remote Code Execution (RCE) or Full Cloud Compromise (via AWS IMDSv2 bypass). This vulnerability is fixed in 1.15.0 and 0.3.1.
References

Tue, 14 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-915
References
Metrics threat_severity

None

 threat_severity

Critical

Mon, 13 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Axios
Axios axios
Vendors & Products Axios
Axios axios

Mon, 13 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
References

Fri, 10 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
Description Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0, the Axios library is vulnerable to a specific "Gadget" attack chain that allows Prototype Pollution in any third-party dependency to be escalated into Remote Code Execution (RCE) or Full Cloud Compromise (via AWS IMDSv2 bypass). This vulnerability is fixed in 1.15.0.
Title Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain
Weaknesses CWE-113
CWE-444
CWE-918
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Axios Axios
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-16T18:45:12.892Z

Reserved: 2026-04-09T20:59:17.618Z

Link: CVE-2026-40175

cve-icon Vulnrichment

Updated: 2026-04-13T09:32:22.149Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T20:16:22.800

Modified: 2026-04-21T19:44:44.400

Link: CVE-2026-40175

cve-icon Redhat

Severity : Critical

Publid Date: 2026-04-10T19:23:52Z

Links: CVE-2026-40175 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T09:30:14Z

Weaknesses