CVE-2026-40175
Published: 10 April 2026
Summary
CVE-2026-40175 is a medium-severity HTTP Request/Response Splitting (CWE-113) vulnerability in Axios Axios. Its CVSS base score is 4.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 43.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-2 (Baseline Configuration).
Deeper analysis
CVE-2026-40175 affects the Axios library, a promise-based HTTP client used in browsers and Node.js environments, in versions prior to 1.15.0. The vulnerability enables a specific "Gadget" attack chain that escalates Prototype Pollution occurring in any third-party dependency into Remote Code Execution (RCE) or Full Cloud Compromise, including via AWS IMDSv2 bypass. It is associated with CWEs-113, CWE-444, and CWE-918, and carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity.
Remote attackers with network access can exploit this vulnerability with low complexity, no required privileges, and no user interaction. By leveraging Prototype Pollution in a third-party dependency, they can chain it through Axios to achieve RCE on the target system or full compromise of cloud environments, such as bypassing AWS IMDSv2 protections.
The vulnerability is addressed in Axios version 1.15.0. Mitigation involves updating to this patched release, as detailed in the official GitHub security advisory (GHSA-fvcv-3m26-pcqx), the release notes for v1.15.0, and the fixing commit and pull request.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-21573
Vulnerability details
Axios is a promise based HTTP client for the browser and Node.js. Versions prior to 1.15.0 and 0.3.1 are vulnerable to a specific gadget-style attack chain in which prototype pollution in a third-party dependency may be leveraged to inject unsanitized…
more
header values into outbound requests. This vulnerability is fixed in 1.15.0 and 0.3.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows remote, unauthenticated exploitation of a widely used HTTP client library (Axios) in web applications or Node.js environments, leading to RCE via prototype pollution gadget chains, directly mapping to Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely remediation of known software flaws by applying the vendor patch that eliminates the prototype-pollution gadget chain in Axios.
Establishes approved baseline configurations that explicitly include the patched Axios version, preventing vulnerable releases from remaining in the deployed software inventory.
Enforces configuration settings that restrict use of unapproved or vulnerable library versions, blocking the Axios component that enables header-injection escalation.