Cyber Resilience

CVE-2026-40175

MediumPublic PoCUpdated

Published: 10 April 2026

Published
10 April 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS Score 0.0093 56.2th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-40175 is a medium-severity HTTP Request/Response Splitting (CWE-113) vulnerability in Axios Axios. Its CVSS base score is 4.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 43.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-2 (Baseline Configuration).

Deeper analysis

CVE-2026-40175 affects the Axios library, a promise-based HTTP client used in browsers and Node.js environments, in versions prior to 1.15.0. The vulnerability enables a specific "Gadget" attack chain that escalates Prototype Pollution occurring in any third-party dependency into Remote Code Execution (RCE) or Full Cloud Compromise, including via AWS IMDSv2 bypass. It is associated with CWEs-113, CWE-444, and CWE-918, and carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity.

Remote attackers with network access can exploit this vulnerability with low complexity, no required privileges, and no user interaction. By leveraging Prototype Pollution in a third-party dependency, they can chain it through Axios to achieve RCE on the target system or full compromise of cloud environments, such as bypassing AWS IMDSv2 protections.

The vulnerability is addressed in Axios version 1.15.0. Mitigation involves updating to this patched release, as detailed in the official GitHub security advisory (GHSA-fvcv-3m26-pcqx), the release notes for v1.15.0, and the fixing commit and pull request.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Axios is a promise based HTTP client for the browser and Node.js. Versions prior to 1.15.0 and 0.3.1 are vulnerable to a specific gadget-style attack chain in which prototype pollution in a third-party dependency may be leveraged to inject unsanitized…

more

header values into outbound requests. This vulnerability is fixed in 1.15.0 and 0.3.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability allows remote, unauthenticated exploitation of a widely used HTTP client library (Axios) in web applications or Node.js environments, leading to RCE via prototype pollution gadget chains, directly mapping to Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-62718Same product: Axios Axios
CVE-2026-42043Same product: Axios Axios
CVE-2026-42038Same product: Axios Axios
CVE-2026-42035Same product: Axios Axios
CVE-2024-57965Same product: Axios Axios
CVE-2026-42044Same product: Axios Axios
CVE-2026-42033Same product: Axios Axios
CVE-2026-25639Same product: Axios Axios
CVE-2026-42264Same product: Axios Axios
CVE-2026-42039Same product: Axios Axios

Affected Assets

axios
axios
≤ 0.31.0 · 1.0.0 — 1.15.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely remediation of known software flaws by applying the vendor patch that eliminates the prototype-pollution gadget chain in Axios.

prevent

Establishes approved baseline configurations that explicitly include the patched Axios version, preventing vulnerable releases from remaining in the deployed software inventory.

prevent

Enforces configuration settings that restrict use of unapproved or vulnerable library versions, blocking the Axios component that enables header-injection escalation.

References