Critical Axios flaw can enable cloud metadata theft through a gadget chain, and a PoC is now public
4 min. read 
Published on
Axios has patched a critical vulnerability that can turn prototype pollution elsewhere in an application’s dependency stack into cloud metadata theft and, in some cases, broader compromise. The flaw is tracked as CVE-2026-40175 and affects Axios versions before 1.15.0. GitHub’s advisory says the issue can escalate third-party prototype pollution into “Remote Code Execution (RCE) or Full Cloud Compromise,” while Axios 1.15.0 fixes it.
The important nuance is that Axios is not described as a standalone zero-click RCE bug in every setup. The advisory calls it a “gadget” attack chain. An attacker first needs prototype pollution in another dependency, and then Axios can pick up polluted properties during config merge and send malicious header values without blocking CRLF characters.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
A public proof of concept is already available in the advisory itself. GitHub’s disclosure includes example payloads that show how a polluted Object.prototype value could inject extra HTTP requests and target AWS IMDSv2 for token theft.
What the Axios bug actually does
According to the GitHub-reviewed advisory, the problem sits in Axios header handling. If another package in the app lets an attacker pollute Object.prototype, Axios may merge those poisoned values into request headers during normal request creation. Because Axios did not sanitize CRLF characters in those merged header values, the bad data could become a request smuggling payload.
The advisory’s example shows how that chain can turn a seemingly safe internal request into a second, attacker-controlled request aimed at the AWS metadata service. In that scenario, the injected request includes the header needed to get an IMDSv2 session token, which can then expose IAM credentials.
That is why this flaw has drawn so much attention. It does not just involve malformed headers. It can help turn one weakness elsewhere in the stack into credential theft, internal pivoting, cache poisoning, or wider cloud compromise.
Patch details and affected versions
GitHub’s advisory says affected versions are below 1.15.0, and NVD uses the same version boundary in its description. Axios also lists the fix in its official v1.15.0 release notes under “Security Fixes,” where it describes the issue as an unrestricted cloud metadata exfiltration vulnerability via a header injection chain.
The Axios release notes also show this was not the only security fix in 1.15.0. The same release patched a separate no_proxy hostname normalization bypass that could lead to SSRF.
In the related pull request, the maintainer summary says the patch blocks CRLF header injection chains by rejecting invalid header values. It also notes that requests with invalid headers now fail instead of being sent.
Why the PoC matters
The PoC makes the attack path easier to understand for defenders, but it also lowers the bar for copycat testing. In this case, the disclosure includes a concrete payload example, a request flow, and a description of how the chain can reach AWS metadata endpoints.
Still, admins should not read this as “any Axios app is instantly remotely exploitable.” The attack needs more than Axios alone. The advisory repeatedly frames the bug as something that escalates prototype pollution in another library. That condition matters and should stay in the headline context when describing risk.
For cloud-hosted Node.js apps, the risk grows when internal services, metadata endpoints, or sensitive admin interfaces sit within reach of outbound requests. That is where a header-injection chain can become far more damaging than a simple client bug.
Key facts at a glance
| Item | Details |
|---|---|
| CVE | CVE-2026-40175 |
| Library | Axios |
| Affected versions | Earlier than 1.15.0 |
| Fixed version | 1.15.0 |
| Root issue | CRLF header injection in a gadget chain tied to prototype pollution elsewhere |
| Main impact | Cloud metadata exfiltration, internal request manipulation, possible wider compromise |
| Public PoC | Yes, included in the advisory |
What developers and security teams should do
- Upgrade Axios to 1.15.0 or later immediately.
- Audit the broader dependency tree for prototype pollution bugs, because this chain depends on pollution elsewhere in the stack.
- Restrict access to cloud metadata services and sensitive internal endpoints where possible.
- Review outbound request paths from Node.js services that use Axios, especially in cloud workloads.
- Treat CRLF header validation failures as security signals, not just malformed input noise.
FAQ
Not in the simple sense. The advisory describes a gadget chain where Axios helps escalate prototype pollution in another dependency into more serious impact, including possible RCE or full cloud compromise in some environments.
Versions before 1.15.0 are affected, and 1.15.0 contains the fix.
Yes. The public advisory includes a PoC-style example that demonstrates the pollution and header injection chain.
For many teams, the clearest risk is cloud metadata theft and credential exposure, especially in environments where internal services or metadata endpoints are reachable.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages