Prototype Pollution and Remote Code Execution Vulnerability in Axios HTTP Client
CVE-2026-40175

4.8MEDIUM

Key Information:

Vendor

AxiOS

Status
AxiOS
Vendor
CVE Published:
10 April 2026

Badges

πŸ“ˆ TrendedπŸ“ˆ Score: 2,340πŸ‘Ύ Exploit Exists🟑 Public PoCπŸ“° News Worthy

What is CVE-2026-40175?

CVE-2026-40175 is a significant vulnerability affecting the Axios HTTP client, a popular library used for making HTTP requests in both browser and Node.js environments. This vulnerability specifically involves a "Gadget" attack chain that leads to Prototype Pollution, allowing attackers to manipulate properties in JavaScript objects. This flaw can escalate into Remote Code Execution (RCE), posing a severe risk to organizations utilizing Axios versions before 1.15.0. If exploited, attackers could potentially gain unauthorized access and control over the affected systems, leading to drastic consequences including data leaks, unauthorized actions, and full compromise of cloud environments through techniques like AWS Instance Metadata Service v2 (IMDSv2) bypass. The vulnerability was addressed in Axios version 1.15.0, and as such, organizations are strongly advised to upgrade to mitigate these risks.

Potential impact of CVE-2026-40175

  1. Remote Code Execution: The ability for attackers to execute arbitrary code on affected systems could lead to complete system compromise, allowing malicious actors to install additional malware, access sensitive data, or disrupt services.

  2. Cloud Infrastructure Compromise: Through the exploitation of the vulnerability, attackers could potentially bypass cloud security measures, leading to unauthorized access to cloud resources, which may result in further attacks or data exfiltration.

  3. Impact on Third-party Dependencies: The Prototype Pollution flaw could affect not only the immediate application but also any third-party dependencies relying on Axios, thereby widening the vulnerability's impact across various interconnected systems and services.

Affected Version(s)

axios >= 1.0.0, < 1.15.0 < 1.0.0, 1.15.0

axios < 0.31.0 < 0.31.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

axios-security-guide
Created by LeeKangHyun

audit-axios
Created by surri

News Articles

favicon imageIT Security News

Critical Axios Vulnerability Enables Remote Code Execution, PoC Released - IT Security News

A critical security vulnerability has been discovered in Axios, one of the most widely used HTTP client libraries, exposing applications to Remote Code Execution (RCE) and full cloud infrastructure compromise. Tracked as CVE-2026-40175, this flaw carries a critical CVSS 3.1…Read more β†’

3 weeks ago

References

https://github.com/axios/axios/security/advisories/GHSA-f...
x_refsource_CONFIRM
https://github.com/axios/axios/pull/10660
x_refsource_MISC
https://github.com/axios/axios/pull/10688
x_refsource_MISC

CVSS V3.1

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • πŸ“ˆ

    Vulnerability started trending

  • πŸ“°

    First article discovered by IT Security News

  • Vulnerability published

  • Vulnerability Reserved

.