"Prior to version 1.15.0, the Axios library is vulnerable to a specific 'Gadget' attack chain that allows Prototype Pollution in any third-party dependency to be escalated into Remote Code Execution or Full Cloud Compromise via AWS IMDSv2 bypass."
"The vulnerability identified as CVE-2026-40175 has been fixed in version 1.15.0 of Axios, ensuring that users are protected against these security risks."
Axios is a promise-based HTTP client for browsers and Node.js. Versions before 1.15.0 are susceptible to a Gadget attack chain, allowing Prototype Pollution to escalate into Remote Code Execution or Full Cloud Compromise through AWS IMDSv2 bypass. This vulnerability is addressed in version 1.15.0. The associated CWE identifiers include improper neutralization of CRLF sequences, inconsistent interpretation of HTTP requests, and server-side request forgery.
Read at Nist
Unable to calculate read time
Collection
[
|
...
]