9

CVE-2026-40175

Medienbericht
Exploit

Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain

Axios is a promise based HTTP client for the browser and Node.js. Versions prior to 1.15.0 and 0.3.1 are vulnerable to a specific gadget-style attack chain in which prototype pollution in a third-party dependency may be leveraged to inject unsanitized header values into outbound requests. This vulnerability is fixed in 1.15.0 and 0.3.1.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
AxiosAxios SwPlatformnode.js Version < 0.31.0
AxiosAxios SwPlatformnode.js Version >= 1.0.0 < 1.15.0
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.82% 0.76
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.8 2.2 2.5
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
security-advisories@github.com 4.8 2.2 2.5
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 9 2.2 6
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes

The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
20.04.2026 16:46
https://github.com/axios/axios/releases/tag/v1.15.0
Product
Release Notes
https://github.com/axios/axios/pull/10660
Patch
Issue Tracking
https://github.com/axios/axios/commit/363185461b90b1b78845dc8a99a1f103d9b122a1
Patch
https://github.com/axios/axios/pull/10660#issuecomment-4224168081
Patch
Issue Tracking
https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c
Patch
https://github.com/axios/axios/pull/10688
Patch
https://github.com/axios/axios/releases/tag/v0.31.0
Release Notes
https://cert-portal.siemens.com/productcert/html/ssa-876049.html
https://bugzilla.redhat.com/show_bug.cgi?id=2457432
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-40175.json
https://access.redhat.com/errata/RHSA-2026:10104
https://access.redhat.com/errata/RHSA-2026:11414
https://access.redhat.com/errata/RHSA-2026:13542
https://access.redhat.com/errata/RHSA-2026:13548
https://access.redhat.com/errata/RHSA-2026:13571
https://access.redhat.com/errata/RHSA-2026:14774
https://access.redhat.com/errata/RHSA-2026:15091
https://access.redhat.com/errata/RHSA-2026:17468
https://access.redhat.com/errata/RHSA-2026:19712
https://access.redhat.com/errata/RHSA-2026:20041
https://access.redhat.com/errata/RHSA-2026:8483
https://access.redhat.com/errata/RHSA-2026:10175
https://access.redhat.com/errata/RHSA-2026:16874
https://access.redhat.com/errata/RHSA-2026:8484
https://access.redhat.com/errata/RHSA-2026:8490
https://access.redhat.com/errata/RHSA-2026:8491
https://access.redhat.com/errata/RHSA-2026:8493
https://access.redhat.com/errata/RHSA-2026:9742
https://access.redhat.com/errata/RHSA-2026:14937
https://access.redhat.com/errata/RHSA-2026:13826
https://access.redhat.com/errata/RHSA-2026:24762
https://access.redhat.com/errata/RHSA-2026:17657
https://access.redhat.com/errata/RHSA-2026:17699
https://access.redhat.com/errata/RHSA-2026:20938
https://access.redhat.com/errata/RHSA-2026:25041
https://access.redhat.com/errata/RHSA-2026:10153
https://access.redhat.com/errata/RHSA-2026:10172
https://access.redhat.com/errata/RHSA-2026:17474
https://access.redhat.com/errata/RHSA-2026:36882
https://access.redhat.com/errata/RHSA-2026:8499
https://access.redhat.com/errata/RHSA-2026:8500
https://access.redhat.com/errata/RHSA-2026:8501
https://github.com/axios/axios/security/advisories/GHSA-fvcv-3m26-pcqx
Vendor Advisory
Exploit
Mitigation
https://access.redhat.com/security/cve/CVE-2026-40175