CVE-2026-40175
Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain
CVSS Score
4.8
EPSS Score
0.5%
EPSS Percentile
67th
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.3.1, the Axios library is vulnerable to a specific "Gadget" attack chain that allows Prototype Pollution in any third-party dependency to be escalated into Remote Code Execution (RCE) or Full Cloud Compromise (via AWS IMDSv2 bypass). This vulnerability is fixed in 1.15.0 and 0.3.1.
| CWE | CWE-113 CWE-444 CWE-918 |
| Vendor | axios |
| Product | axios |
| Published | Apr 10, 2026 |
| Last Updated | Apr 16, 2026 |
Stay Ahead of the Next One
Get instant alerts for axios axios
Be the first to know when new medium vulnerabilities affecting axios axios are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
Affected Versions
axios / axios
>= 1.0.0, < 1.15.0 < 0.31.0
References
github.com: https://github.com/axios/axios/security/advisories/GHSA-fvcv-3m26-pcqx github.com: https://github.com/axios/axios/pull/10660 github.com: https://github.com/axios/axios/pull/10688 github.com: https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c github.com: https://github.com/axios/axios/commit/363185461b90b1b78845dc8a99a1f103d9b122a1 github.com: https://github.com/axios/axios/releases/tag/v0.31.0 github.com: https://github.com/axios/axios/releases/tag/v1.15.0 github.com: https://github.com/axios/axios/pull/10660#issuecomment-4224168081