[{"data":1,"prerenderedAt":139},["ShallowReactive",2],{"article-slug-critical-axios-library-vulnerability-cve-2026-40175-allows-rce":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":26,"sources":32,"events":55,"mitre_techniques":62,"mitre_mitigations":75,"d3fend_countermeasures":104,"iocs":105,"cyber_observables":106,"tags":123,"extract_datetime":126,"article_type":127,"impact_scope":128,"pub_date":36,"reading_time_minutes":138,"createdAt":126,"updatedAt":126},"94a05075-6b04-425f-a5a4-5395d0592fd7","critical-axios-library-vulnerability-cve-2026-40175-allows-rce","Critical Flaw in Axios Library Puts Countless Web Apps at Risk of RCE","Critical SSRF Vulnerability in Axios Library (CVE-2026-40175) Allows for Remote Code Execution","A critical Server-Side Request Forgery (SSRF) vulnerability, CVE-2026-40175, has been discovered in Axios, one of the most popular JavaScript libraries for making HTTP requests. The flaw, rated CVSS 10.0, can be exploited by an unauthenticated remote attacker to achieve remote code execution (RCE) and potentially compromise entire cloud environments. A public proof-of-concept is available, making this a critical supply chain risk that requires immediate attention from developers.","## Executive Summary\nA **critical** vulnerability, **[CVE-2026-40175](https://www.cve.org/CVERecord?id=CVE-2026-40175)**, has been disclosed in the widely used **Axios** npm package, a JavaScript library with millions of weekly downloads. The flaw has been assigned a CVSS score of **10.0**, reflecting its maximum severity. It is a Server-Side Request Forgery (SSRF) vulnerability that can be escalated by an unauthenticated, remote attacker to achieve Remote Code Execution (RCE). The release of a public proof-of-concept (PoC) exploit demonstrates a viable attack chain for compromising cloud environments by stealing credentials from metadata services. This represents a severe **[Supply Chain Attack](https://www.cisa.gov/supply-chain-risk-management)** risk, and all developers using affected versions of **Axios** must upgrade immediately.\n\n---\n\n## Vulnerability Details\nThe vulnerability is a complex chain of weaknesses:\n\n1.  **HTTP Response Splitting:** The core issue lies in `lib/adapters/http.js`, where **Axios** improperly handles header values. An attacker can provide a header containing carriage return and line feed (CRLF) characters (`\\r\\n`). **Axios** merges this into an outbound HTTP request, allowing the attacker to \"split\" the response and inject arbitrary content or headers ([`T1197`](https://attack.mitre.org/techniques/T1197/)).\n\n2.  **Prototype Pollution:** The SSRF can be chained with a separate prototype pollution vulnerability in a third-party dependency used by the application. This allows the attacker to modify the prototype of base objects in the JavaScript environment.\n\n3.  **Gadget Attack Chain:** The combination of these flaws creates a \"Gadget Attack Chain.\" An attacker can use the SSRF to make the server send a request to a malicious endpoint. The crafted response from this endpoint then exploits the prototype pollution to execute code or manipulate the application's logic. The public PoC demonstrates using this chain to bypass AWS IMDSv2 protections and exfiltrate sensitive cloud credentials.\n\n## Affected Systems\n-   **Axios** npm package versions below **1.13.2**.\n\nGiven that **Axios** is one of the most popular JavaScript libraries, the number of affected web applications and services is potentially in the millions.\n\n## Exploitation Status\nA public proof-of-concept (PoC) exploit has been released. While there are no confirmed reports of widespread active exploitation *yet*, the availability of a PoC dramatically lowers the bar for attackers and makes exploitation imminent.\n\n## Impact Assessment\nThe impact is critical (CVSS 10.0). A successful exploit allows an unauthenticated attacker to:\n-   **Achieve Remote Code Execution:** Gain full control over the server-side application.\n-   **Compromise Cloud Environments:** Steal cloud infrastructure credentials (e.g., AWS IAM roles) from instance metadata services, leading to a full cloud account takeover.\n-   **Bypass Security Controls:** The SSRF can be used to bypass firewalls and make requests to internal services that are not exposed to the internet, allowing attackers to scan and attack the internal network.\n-   **Data Exfiltration:** Access and steal sensitive data from databases and other internal systems.\n\n## Cyber Observables for Detection\n| Type | Value | Description |\n|---|---|---|\n| log_source | Application Logs | Look for malformed or unexpected headers in requests being processed by Axios. Specifically, search for `\\r\\n` or `%0d%0a` characters in header values. |\n| network_traffic_pattern | Outbound requests from application servers to unexpected internal or external IPs. | An indicator of SSRF, where the server is forced to make a request on the attacker's behalf. |\n| url_pattern | `http://169.254.169.254/` | Monitor for requests from application servers to cloud metadata service endpoints, which is a classic SSRF target. |\n\n## Detection Methods\n1.  **Software Composition Analysis (SCA):** Use SCA tools (e.g., Snyk, Dependabot) to scan your projects' dependencies and identify all instances of vulnerable **Axios** versions.\n2.  **Log Analysis (D3-NTA: Network Traffic Analysis):** Analyze application and network logs for the observables listed above. Create alerts for any outbound connections from application servers to cloud metadata endpoints or other suspicious internal IPs.\n3.  **Code Review:** Manually review code to identify where user-controllable input is being passed into **Axios** request headers, as this is a potential exploitation point.\n\n## Remediation Steps\n1.  **Update Immediately (D3-SU: Software Update):** The only definitive solution is to update the **Axios** package to version **1.13.2** or later in all your projects. Run `npm update axios` or `yarn upgrade axios` and redeploy your applications.\n2.  **Input Validation:** As a defense-in-depth measure, always sanitize and validate any user-supplied input that is used to construct HTTP requests, including URLs, headers, and body content. Strip any CRLF characters.\n3.  **Network Egress Filtering (M1037):** Implement strict egress filtering rules on application servers to block outbound connections to cloud metadata services and other unnecessary internal or external endpoints. This can mitigate the impact of an SSRF attack.","🚨 CRITICAL VULNERABILITY (CVSS 10.0) in Axios JS library! CVE-2026-40175 is an SSRF flaw that can lead to RCE and full cloud compromise. PoC is public. If you use Axios, update to v1.13.2 NOW! 🌐 #SupplyChain #RCE #SSRF","A critical SSRF vulnerability (CVE-2026-40175) with a CVSS score of 10.0 has been found in the popular Axios JavaScript library, allowing for RCE and cloud compromise. A PoC is available.",[13,14,15],"Vulnerability","Supply Chain Attack","Cloud Security","critical",[18,21,23],{"name":19,"type":20},"Axios","product",{"name":22,"type":20},"npm",{"name":24,"type":25},"Amazon Web Services (AWS)","vendor",[27],{"id":28,"cvss_score":29,"cvss_version":30,"kev":31,"severity":16},"CVE-2026-40175",10,"3.1",false,[33,39,44,50],{"url":34,"title":35,"date":36,"friendly_name":37,"website":38},"https://www.csa.gov.sg/alerts-advisories/alerts/al-2026-0416-1","Critical Vulnerability in Axios","2026-04-16","CSA Singapore","csa.gov.sg",{"url":40,"title":41,"date":42,"website":43},"https://www.cyberpress.com/critical-axios-vulnerability-allows-remote-code-execution-poc-exploit-released/","Critical Axios Vulnerability Allows Remote Code Execution - PoC Exploit Released","2026-04-13","cyberpress.com",{"url":45,"title":46,"date":47,"friendly_name":48,"website":49},"https://snyk.io/vuln/SNYK-JS-AXIOS-6543324","HTTP Response Splitting in axios | CVE-2026-40175","2026-04-11","Snyk","snyk.io",{"url":51,"title":52,"date":42,"friendly_name":53,"website":54},"https://access.redhat.com/security/cve/cve-2026-40175","CVE-2026-40175 - Red Hat Customer Portal","Red Hat","access.redhat.com",[56,59],{"datetime":57,"summary":58},"2026-04-11T00:00:00Z","The vulnerability is publicly disclosed by Snyk.",{"datetime":60,"summary":61},"2026-04-13T00:00:00Z","A public proof-of-concept exploit is released.",[63,67,71],{"id":64,"name":65,"tactic":66},"T1197","BITS Jobs","Defense Evasion",{"id":68,"name":69,"tactic":70},"T1059.007","JavaScript","Execution",{"id":72,"name":73,"tactic":74},"T1595.002","Vulnerability Scanning","Reconnaissance",[76,86,95],{"id":77,"name":78,"d3fend_techniques":79,"description":84,"domain":85},"M1051","Update Software",[80],{"id":81,"name":82,"url":83},"D3-SU","Software Update","https://d3fend.mitre.org/technique/d3f:SoftwareUpdate","Updating the Axios library to a non-vulnerable version is the most critical and effective mitigation.","enterprise",{"id":87,"name":88,"d3fend_techniques":89,"description":94,"domain":85},"M1037","Filter Network Traffic",[90],{"id":91,"name":92,"url":93},"D3-OTF","Outbound Traffic Filtering","https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering","Implementing strict egress filtering on application servers to block connections to cloud metadata endpoints can prevent the theft of credentials via SSRF.",{"id":96,"name":97,"d3fend_techniques":98,"description":103,"domain":85},"M1048","Application Isolation and Sandboxing",[99],{"id":100,"name":101,"url":102},"D3-HBPI","Hardware-based Process Isolation","https://d3fend.mitre.org/technique/d3f:Hardware-basedProcessIsolation","Running applications in sandboxed or containerized environments with minimal privileges and strict network policies can limit the impact of an RCE.",[],[],[107,113,118],{"type":108,"value":109,"description":110,"context":111,"confidence":112},"string_pattern","%0d%0a","URL-encoded CRLF characters. Searching for this pattern in request headers within application logs can reveal HTTP Response Splitting attempts.","Application logs, WAF logs.","high",{"type":114,"value":115,"description":116,"context":117,"confidence":112},"url_pattern","http://169.254.169.254/latest/meta-data/iam/security-credentials/","The AWS instance metadata endpoint used to retrieve IAM role credentials. Requests to this URL from an application server are a strong indicator of an SSRF attack.","VPC Flow Logs, network monitoring tools, EDR network connection logs.",{"type":119,"value":120,"description":121,"context":122,"confidence":112},"file_name","package-lock.json","Developers can check this file (or yarn.lock) to see which version of Axios is being used in their project.","Software Composition Analysis (SCA) tools, manual code review.",[19,124,125,13,14,15,28,69],"SSRF","RCE","2026-04-16T15:00:00.000Z","Advisory",{"geographic_scope":129,"industries_affected":130,"other_affected":135},"global",[131,132,133,134],"Technology","Finance","Retail","Healthcare",[136,137],"Web application developers","Cloud service customers",4,1776358251929]