VDB
DEBIAN-CVE-2026-40175
DEBIAN-CVE-2026-40175
PUBLISHED
CVSS 4.800000190734863 MEDIUM
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.3.1, the Axios library is vulnerable to a specific "Gadget" attack chain that allows Prototype Pollution in any third-party dependency to be escalated into Remote Code Execution (RCE) or Full Cloud Compromise (via AWS IMDSv2 bypass). This vulnerability is fixed in 1.15.0 and 0.3.1.
Risk Scores
CVSS 3.1
4.800000190734863
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:14 | node-axios | 1.14.0+dfsg, 1.8.4+dfsg, 1.11.0+dfsg-1 |
| Debian:13 | node-axios | 0, 1.12.1+dfsg-1, 1.13.1+dfsg-1 |
| Debian:12 | node-axios | 1.11.0+dfsg-1, 1.12.1+dfsg-1, 1.13.2+dfsg-1 |
| Debian:11 | node-axios | 1.6.2+dfsg, 1.6.8+dfsg, 1.6.8+dfsg |
Exploit Intelligence
- CVE-2026-40175 (github-poc-repo)
- Scan local repos for vulnerable axios versions (CVE-2026-40175) and patch interactively (github-poc-repo)
- Axios CRLF Injection (CVE-2026-40175) 취약점 대응 가이드 및 fetch 기반 마이그레이션 분석 (github-poc-repo)
- pjt3591oo/CVE-2026-40175-poc (github-poc-repo)
- pjt3591oo/CVE-2026-40175-poc (github-poc)
- Axios CRLF Injection (CVE-2026-40175) 취약점 대응 가이드 및 fetch 기반 마이그레이션 분석 (github-poc)
- Scan local repos for vulnerable axios versions (CVE-2026-40175) and patch interactively (github-poc)
- CVE-2026-40175 (github-poc)
- pnpm-workspace.yaml (github-poc)
- pnpm-workspace.yaml (github-poc)
…and 9 more exploits
Timeline
- Apr 10, 2026 CVE Published
- Apr 28, 2026 CVE Updated