CVE-2026-40175
Severity CVSS v4.0:
Pending analysis
Type:
CWE-113
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
Publication date:
10/04/2026
Last modified:
12/05/2026
Description
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.3.1, the Axios library is vulnerable to a specific "Gadget" attack chain that allows Prototype Pollution in any third-party dependency to be escalated into Remote Code Execution (RCE) or Full Cloud Compromise (via AWS IMDSv2 bypass). This vulnerability is fixed in 1.15.0 and 0.3.1.
Impact
Base Score 3.x
4.80
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:axios:axios:*:*:*:*:*:node.js:*:* | 0.31.0 (excluding) | |
| cpe:2.3:a:axios:axios:*:*:*:*:*:node.js:*:* | 1.0.0 (including) | 1.15.0 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c
- https://github.com/axios/axios/commit/363185461b90b1b78845dc8a99a1f103d9b122a1
- https://github.com/axios/axios/pull/10660
- https://github.com/axios/axios/pull/10688
- https://github.com/axios/axios/releases/tag/v0.31.0
- https://github.com/axios/axios/releases/tag/v1.15.0
- https://github.com/axios/axios/security/advisories/GHSA-fvcv-3m26-pcqx
- https://github.com/axios/axios/pull/10660#issuecomment-4224168081
- https://cert-portal.siemens.com/productcert/html/ssa-876049.html