CVE-2026-40175

MediumPublic PoC

Published: 10 April 2026

Published

10 April 2026

Modified

07 May 2026

KEV Added

—

Patch

—

CVSS Score 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

EPSS Score 0.0003 7.4th percentile

Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40175 is a medium-severity HTTP Request/Response Splitting (CWE-113) vulnerability in Axios Axios. Its CVSS base score is 4.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

preventrecover

Mandates timely flaw remediation by patching Axios to versions 1.15.0 or 0.3.1, directly eliminating the prototype pollution gadget chain leading to RCE.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Requires vulnerability scanning of software dependencies to identify and prioritize the critical Axios vulnerability (CVE-2026-40175) for remediation.

CM-8 System Component Inventory partial match

preventdetect

Maintains an inventory of system components including third-party libraries like Axios, enabling identification and management of vulnerable versions.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability allows remote, unauthenticated exploitation of a widely used HTTP client library (Axios) in web applications or Node.js environments, leading to RCE via prototype pollution gadget chains, directly mapping to Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.3.1, the Axios library is vulnerable to a specific "Gadget" attack chain that allows Prototype Pollution in any third-party dependency to be escalated into…

Remote Code Execution (RCE) or Full Cloud Compromise (via AWS IMDSv2 bypass). This vulnerability is fixed in 1.15.0 and 0.3.1.

Deeper analysisAI

CVE-2026-40175 affects the Axios library, a promise-based HTTP client used in browsers and Node.js environments, in versions prior to 1.15.0. The vulnerability enables a specific "Gadget" attack chain that escalates Prototype Pollution occurring in any third-party dependency into Remote Code Execution (RCE) or Full Cloud Compromise, including via AWS IMDSv2 bypass. It is associated with CWEs-113, CWE-444, and CWE-918, and carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity.

Remote attackers with network access can exploit this vulnerability with low complexity, no required privileges, and no user interaction. By leveraging Prototype Pollution in a third-party dependency, they can chain it through Axios to achieve RCE on the target system or full compromise of cloud environments, such as bypassing AWS IMDSv2 protections.

The vulnerability is addressed in Axios version 1.15.0. Mitigation involves updating to this patched release, as detailed in the official GitHub security advisory (GHSA-fvcv-3m26-pcqx), the release notes for v1.15.0, and the fixing commit and pull request.

Details

CWE(s): CWE-113 CWE-444 CWE-918

Affected Products

axios

≤ 0.31.0 · 1.0.0 — 1.15.0

CVEs Like This One

CVE-2025-62718Same product: Axios Axios

CVE-2026-42043Same product: Axios Axios

CVE-2026-42038Same product: Axios Axios

CVE-2026-42035Same product: Axios Axios

CVE-2024-57965Same product: Axios Axios

CVE-2026-42039Same product: Axios Axios

CVE-2026-42044Same product: Axios Axios

CVE-2026-25639Same product: Axios Axios

CVE-2026-42033Same product: Axios Axios

CVE-2026-7025Shared CWE-918

References

https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c
Patch · security-advisories@github.com
https://github.com/axios/axios/commit/363185461b90b1b78845dc8a99a1f103d9b122a1
Patch · security-advisories@github.com
https://github.com/axios/axios/pull/10660
Issue Tracking, Patch · security-advisories@github.com
https://github.com/axios/axios/pull/10688
Patch · security-advisories@github.com
https://github.com/axios/axios/releases/tag/v0.31.0
Release Notes · security-advisories@github.com
https://github.com/axios/axios/releases/tag/v1.15.0
Product, Release Notes · security-advisories@github.com
https://github.com/axios/axios/security/advisories/GHSA-fvcv-3m26-pcqx
Exploit, Mitigation, Vendor Advisory · security-advisories@github.com
https://github.com/axios/axios/pull/10660#issuecomment-4224168081
Issue Tracking, Patch · af854a3a-2127-422b-91ae-364da2661108