A critical security vulnerability has been disclosed in Axios, one of the most widely used HTTP client libraries in the JavaScript and Node.js ecosystem, affecting all versions from v0.x through v1.x below 1.13.2.
Tracked as CVE-2026-40175 and carrying a CVSS v3.1 score of 9.9 (Critical), the flaw enables attackers to chain a Prototype Pollution gadget with HTTP header injection to achieve Remote Code Execution (RCE) or full cloud account compromise, including a bypass of AWS IMDSv2 session token protections.
The vulnerability was reported by security researcher Raulvdv and patched in Axios v1.15.0.
Axios npm Library Flaw
Unlike traditional vulnerabilities that require direct attacker input into the affected component, CVE-2026-40175 operates as a “gadget” attack chain, meaning Axios itself becomes a weapon when another library introduces pollution into the same dependency stack.
This zero-direct-user-input attack model significantly expands the attack surface, as developers may not indicate that their hardcoded, seemingly safe Axios calls are being exploited.
The root cause lies in lib/adapters/http.js, where Axios merges request configuration objects without sanitizing HTTP header values for CRLF characters (\r\n).
This violates CWE-113 (Improper Neutralization of CRLF Sequences in HTTP Headers) and, when combined with Axios’s default SSRF capabilities, creates a pathway to HTTP Request Smuggling (CWE-444) and Server-Side Request Forgery (CWE-918).
How Attack Chain Works
The attack unfolds in three distinct phases. First, an attacker exploits a Prototype Pollution flaw in a separate library. Popular candidates include qs, minimist, ini, or body-parser to inject a malicious property into Object.prototype.
A representative payload targeting AWS metadata would inject a value like "dummy\r\n\r\nPUT /latest/api/token HTTP/1.1\r\nHost: 169.254.169.254\r\nX-aws-ec2-metadata-token-ttl-seconds: 21600" into a header key such as x-amz-target.
Second, the application executes a completely normal and developer-audited Axios request, for example, await axios.get('https://analytics.internal/pings').
Because Axios performs a deep config merge during request construction, the polluted prototype property is automatically included as a request header without any explicit developer action.
Third, Axios writes the header value directly to the TCP socket without CRLF validation, splitting the single HTTP request into multiple requests at the network layer.
The smuggled second request is a valid PUT to the AWS Instance Metadata Service (IMDS) at 169.254.169.254, complete with the X-aws-ec2-metadata-token-ttl-seconds header a parameter that standard SSRF attacks cannot include, and that IMDSv2 specifically requires to issue session tokens.
IMDSv2 Bypass
AWS introduced IMDSv2 as a defense against SSRF attacks targeting the metadata service. IMDSv2 requires a preliminary PUT request with a specific TTL header to obtain a session token, a step that traditional SSRF cannot complete.
CVE-2026-40175 circumvents this protection entirely because the injected CRLF sequence constructs a structurally valid PUT request within the smuggled payload that satisfies IMDSv2’s requirements.
The metadata service returns a session token, which the attacker can use to retrieve IAM role credentials, effectively handing over full control of the AWS account. The broader impact extends beyond cloud credential theft.
The same CRLF injection mechanism can be weaponized to inject Authorization or Cookie headers to pivot into internal administrative panels, manipulate Host headers to poison shared reverse proxy caches, and intercept or modify internal API traffic in microservice environments where Axios is the primary HTTP client.
Affected Versions and Mitigation
All Axios versions from v0.x through v1.x, including 1.13.2, are affected by the vulnerable header processing logic. The officially patched release is Axios v1.15.0, which introduces CRLF validation in both lib/adapters/http.js and xhr.js.
Organizations should prioritize upgrading immediately, particularly those running Node.js backends in AWS, GCP, or Azure.
For teams unable to upgrade immediately, a defensive code-level patch involves iterating over all outgoing request headers and throwing an error if any value contains \r or \n characters:
utils.forEach(requestHeaders, function setRequestHeader(val, key) {
if (/[\r\n]/.test(val)) {
throw new Error('Security: Header value contains invalid characters');
}
});Additionally, organizations should audit their full dependency tree for known Prototype Pollution vulnerabilities using tools like npm audit or Snyk, as any pollutable library in the stack becomes a potential entry point for this chain.
Enabling AWS IMDSv2 enforcement at the instance level (turning off IMDSv1 entirely) adds an important secondary layer of defense, though it does not fully neutralize this specific bypass technique.
Implications for Supply Chain Security
CVE-2026-40175 highlights a growing class of inter-library gadget vulnerabilities that are exceptionally difficult to detect through standard code review. A developer inspecting only their Axios usage would find no vulnerabilities; the danger arises from interactions between libraries at runtime.
This reinforces the need for runtime application self-protection (RASP), dependency graph monitoring, and zero-trust network architectures that restrict outbound SSRF vectors at the infrastructure level, regardless of application-layer controls.
With Axios downloaded over 50 million times weekly on npm, the potential blast radius of CVE-2026-40175 is substantial. Security teams should treat this as a high-priority emergency patch.
FAQs
Q1: What is CVE-2026-40175? It is a critical CVSS 9.9 vulnerability in the Axios npm library that allows CRLF header injection via Prototype Pollution to achieve AWS cloud compromise.
Q2: Which Axios versions are affected? All versions from v0.x through v1.x below 1.13.2 are vulnerable; the fix is available in Axios v1.15.0.
Q3: How does this bypass AWS IMDSv2? The CRLF injection injects a valid PUT request into the AWS metadata endpoint, satisfying IMDSv2’s session token requirement that standard SSRF attacks cannot.
Q4: How can developers protect their applications? Upgrade to Axios v1.15.0 immediately and audit all dependencies for Prototype Pollution flaws using npm audit or Snyk.
Site: thecybrdef.com
About the Author
