CVE-2026-40175

Name of the Vulnerable Software and Affected Versions axios versions prior to 1.15.0 axios versions prior to 0.3.1

Description The axios library is vulnerable to a gadget attack chain where prototype pollution in any third-party dependency can be escalated. This occurs because the library does not sanitize HTTP header values for carriage return and line feed (CRLF) characters, allowing an attacker to inject separate HTTP requests. This can lead to request smuggling, server-side request forgery (SSRF), and the bypass of AWS IMDSv2 to exfiltrate cloud metadata and IAM credentials, potentially resulting in remote code execution (RCE) or full cloud compromise. The issue is particularly risky when using custom axios adapters or non-standard configurations that bypass the standard Node.js HTTP stack, as the runtime typically blocks CRLF injection.

Recommendations Update axios to version 1.15.0 or newer. Update axios to version 0.3.1 or newer. As a temporary workaround, restrict the use of custom axios adapters or manual request constructions that bypass the standard HTTP stack.