CVE-2026-40175: Header Injection in Axios via Prototype Pollution Gadget
Vulnerability ID: CVE-2026-40175
CVSS Score: 10.0
Published: 2026-04-10
CVE-2026-40175 is a critical Header Injection vulnerability in the Axios HTTP client library. It functions as an exploitation gadget in Prototype Pollution attack chains, enabling HTTP request smuggling and splitting. This flaw allows attackers to bypass SSRF mitigations and achieve full cloud compromise via internal service interactions.
TL;DR
Axios configuration merging insecurely inherits from Object.prototype and fails to validate internal CRLF characters. Attackers use prototype pollution to inject malicious headers, smuggling secondary HTTP requests to internal endpoints like AWS IMDSv2.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-113 (Improper Neutralization of CRLF Sequences)
- Attack Vector: Network
- CVSS: 10.0 (Critical)
- EPSS: 0.40%
- Impact: SSRF Bypass / Remote Code Execution / Cloud Compromise
- Exploit Status: Proof of Concept Available
- KEV Status: Not Listed
Affected Systems
- Node.js Applications
- Cloud Infrastructure (AWS EC2 instances via IMDSv2 targeting)
-
axios: >= 1.0.0, < 1.15.0 (Fixed in:
1.15.0) -
axios: < 0.31.0 (Fixed in:
0.31.0)
Code Analysis
Commit: 3631854
Fix for header injection via prototype pollution on 1.x branch
Commit: 03cdfc9
Backport header sanitization to legacy 0.x branch
Exploit Details
- GitHub (0xBlackash): Proof of Concept repository demonstrating chained attack
- GitHub (kengzzzz): Exploit methodology and test harness
Mitigation Strategies
- Upgrade Axios to version 1.15.0 or 0.31.0.
- Identify and patch Prototype Pollution sources in dependency trees.
- Implement application-level runtime protections like Object.freeze(Object.prototype).
- Deploy WAF rules to block unusual structural inputs indicating CRLF injection attempts.
Remediation Steps:
- Audit application dependencies using npm audit or Snyk to locate outdated versions of Axios.
- Update package.json to require Axios >= 1.15.0 (or >= 0.31.0 for 0.x branches).
- Execute dependency updates and verify the lockfile reflects the patched version.
- Run unit and integration tests to ensure strict header validation does not disrupt legitimate application functionality.
- Audit the dependency tree for known prototype pollution vulnerabilities in libraries like lodash, qs, or picomatch.
References
- GHSA-fvcv-3m26-pcqx
- Commit 363185461b90b1b78845dc8a99a1f103d9b122a1
- Commit 03cdfc99e8db32a390e12128208b6778492cee9c
- 0xBlackash PoC
- kengzzzz PoC
Read the full report for CVE-2026-40175 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)