Prototype Pollution and Remote Code Execution Vulnerability in Axios HTTP Client
CVE-2026-40175

10CRITICAL

Key Information:

Vendor

AxiOS

Status
AxiOS
Vendor
CVE Published:
10 April 2026

What is CVE-2026-40175?

The Axios library, a popular promise-based HTTP client used in web applications and Node.js, has a significant vulnerability that enables a 'Gadget' attack chain. This flaw allows Prototype Pollution to exploit third-party dependencies, leading to potential Remote Code Execution (RCE). Attackers may further jeopardize the security of cloud environments by bypassing AWS IMDSv2 protections. Users are advised to upgrade to Axios version 1.15.0 or later to mitigate this risk.

Affected Version(s)

axios < 1.15.0

References

https://github.com/axios/axios/security/advisories/GHSA-f...
x_refsource_CONFIRM
https://github.com/axios/axios/pull/10660
x_refsource_MISC
https://github.com/axios/axios/commit/363185461b90b1b7884...
x_refsource_MISC

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.