Introduction
A prototype pollution gadget chain in Axios, the most widely downloaded JavaScript HTTP client, can be escalated from a seemingly benign property injection in any third party dependency into full Remote Code Execution or cloud credential exfiltration, including AWS IMDSv2 bypass. With approximately 100 million weekly npm downloads and over 174,000 dependent packages, CVE-2026-40175 carries a CVSS score of 10.0 and represents a systemic risk to the JavaScript ecosystem, arriving at a moment when the Axios project is already reeling from a nation state supply chain compromise.
Technical Information
The root cause of CVE-2026-40175 is improper neutralization of CRLF (carriage return, line feed) sequences in HTTP headers, classified under CWE-113. The vulnerable code resides in the header processing logic within lib/adapters/http.js and xhr.js.
The Gadget Chain Mechanism
Axios performs automatic configuration merging when constructing HTTP requests. This design pattern, while convenient for developers, creates a dangerous "gadget" when combined with prototype pollution. Here is how the attack chain works:
Stage 1: Prototype Pollution (External Trigger)
An attacker achieves prototype pollution through any vulnerable library in the application's dependency tree. Common candidates include qs, minimist, ini, or body-parser. Once Object.prototype is polluted with attacker controlled properties containing CRLF sequences, the stage is set.
Stage 2: CRLF Injection via Configuration Merge (CWE-113)
When Axios merges its request configuration, it picks up the polluted prototype properties as header values. Because Axios does not sanitize these merged values for carriage return (\r) and line feed (\n) characters, the attacker's payload is injected directly into the outgoing HTTP headers. This transforms a prototype pollution primitive into a header injection primitive.
Stage 3: HTTP Request Smuggling (CWE-444)
The injected CRLF sequences allow the attacker to craft a request smuggling payload. By terminating the original request headers and injecting an entirely new HTTP request within the same connection, the attacker can bypass intermediary security controls such as proxies, load balancers, and web application firewalls.
Stage 4: Server Side Request Forgery and Cloud Compromise (CWE-918)
The smuggled request is directed at internal endpoints that would normally be inaccessible. The most impactful target is the cloud instance metadata service. Notably, this chain bypasses AWS IMDSv2 protections, which are specifically designed to prevent SSRF based credential theft. Successful exploitation yields temporary cloud credentials (IAM role credentials), enabling full cloud account compromise.
Vulnerability Component Mapping
| Vulnerability Component | Associated Weakness | Exploitation Outcome |
|---|---|---|
| Header Processing | CWE-113 (CRLF Injection) | Allows injection of malicious header instructions |
| Request Routing | CWE-444 (Request Smuggling) | Bypasses intermediary security controls |
| Endpoint Access | CWE-918 (SSRF) | Enables AWS IMDSv2 bypass and cloud compromise |
A critical aspect of this vulnerability is that zero direct user input is required to trigger the exploit. If any dependency in the application stack is vulnerable to prototype pollution, Axios silently becomes the escalation vector.
Temporary Mitigation Code
For environments where immediate upgrading is not possible, the official advisory suggests implementing CRLF validation in the adapter layer:
utils.forEach(requestHeaders, function setRequestHeader(val, key) { if (/[\r\n]/.test(val)) { throw new Error('Security: Header value contains invalid characters'); } });
This check should be applied in both lib/adapters/http.js and xhr.js before header values are passed to the underlying request function.
Affected Systems and Versions
All versions of Axios prior to 1.15.0 are affected by CVE-2026-40175. The fix is included in version 1.15.0.
Organizations should also be aware that versions 1.14.1 and 0.30.4 are compromised by a separate supply chain attack and must not be used under any circumstances. The safe upgrade path is directly to version 1.15.0.
Vendor Security History
The Axios project has recently been the target of a significant supply chain attack. On March 31, 2026, threat actors compromised the lead maintainer's npm account and published malicious versions 1.14.1 and 0.30.4. These versions included a phantom dependency called "plain crypto js" that executed an obfuscated dropper during installation, deploying a cross platform Remote Access Trojan known as WAVESHAPER.V2 across Windows, macOS, and Linux systems.
Microsoft Threat Intelligence and Google Threat Intelligence Group attributed this campaign to financially motivated North Korea nexus actors tracked as UNC1069 and Sapphire Sleet. The combination of a CVSS 10.0 gadget chain vulnerability and an active nation state supply chain campaign against the same library underscores the importance of rigorous dependency management for any project relying on Axios.
References
- NVD Entry for CVE-2026-40175
- GitHub Security Advisory GHSA-fvcv-3m26-pcqx: Unrestricted Cloud Metadata Exfiltration via Header Injection Chain
- Axios v1.15.0 Release Notes
- Fix Commit: Unrestricted Cloud Metadata Exfiltration via Header Injection Chain
- Pull Request #10660: Fix for Header Injection Chain
- Trend Micro: Axios NPM Package Compromised: Supply Chain Attack
- Google Cloud Blog: North Korea Nexus Threat Actor Compromises Widely Used Axios npm Package
- Microsoft Security Blog: Mitigating the Axios npm Supply Chain Compromise
- Elastic Security Labs: Inside the Axios Supply Chain Compromise
- Huntress: Supply Chain Compromise of axios npm Package
- Orca Security: Axios Supply Chain Attack Analysis and Fix
