CVE-2026-40175
Published: 10 April 2026
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2026-40175 affects the Axios library, a promise-based HTTP client used in browsers and Node.js environments, in versions prior to 1.15.0. The vulnerability enables a specific "Gadget" attack chain that escalates Prototype Pollution occurring in any third-party dependency into Remote Code Execution (RCE) or Full Cloud Compromise, including via AWS IMDSv2 bypass. It is associated with CWEs-113, CWE-444, and CWE-918, and carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity.
Remote attackers with network access can exploit this vulnerability with low complexity, no required privileges, and no user interaction. By leveraging Prototype Pollution in a third-party dependency, they can chain it through Axios to achieve RCE on the target system or full compromise of cloud environments, such as bypassing AWS IMDSv2 protections.
The vulnerability is addressed in Axios version 1.15.0. Mitigation involves updating to this patched release, as detailed in the official GitHub security advisory (GHSA-fvcv-3m26-pcqx), the release notes for v1.15.0, and the fixing commit and pull request.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability allows remote, unauthenticated exploitation of a widely used HTTP client library (Axios) in web applications or Node.js environments, leading to RCE via prototype pollution gadget chains, directly mapping to Exploit Public-Facing Application.