CVE-2026-40175: Header Injection in Axios via Prototype Pollution Gadget

CVE-2026-40175 is a critical vulnerability in the Axios HTTP client library affecting versions prior to 1.15.0 and 0.31.0. The flaw resides in the configuration merging logic, which insecurely inherits properties from the global Object prototype. This inheritance transforms Axios into a highly effective exploitation gadget for prototype pollution chains.

When an attacker pollutes Object.prototype with a maliciously crafted property, Axios processes this property as an outgoing HTTP header. The library fails to adequately sanitize internal Carriage Return Line Feed (CRLF) characters within these injected headers.

This improper neutralization of CRLF sequences (CWE-113) facilitates HTTP request smuggling and splitting. Attackers leverage this behavior to bypass Server-Side Request Forgery (SSRF) protections. The primary exploitation path targets cloud metadata services, notably the AWS Instance Metadata Service (IMDSv2).

The root cause involves two distinct but intersecting failures in the Axios library. First, the internal utility functions responsible for combining global defaults, instance defaults, and request-specific configurations do not isolate their execution context. They iterate over configuration properties using mechanisms that traverse the prototype chain.

Because the merging logic includes properties inherited from Object.prototype, any globally polluted property is interpreted as a legitimate request configuration. If an attacker injects Object.prototype['x-injected-header'] = 'value', Axios blindly appends this header to all subsequent outgoing HTTP requests initiated by the application.

Second, prior to the patch, Axios implemented insufficient header sanitization. The library utilized a weak regular expression String(value).replace(/[\r\n]+$/, '') to strip trailing CRLF characters. This implementation entirely ignored internal CRLF sequences embedded within the header value.

The failure to validate internal characters allows the injection of \r\n sequences into the HTTP stream. The underlying Node.js HTTP implementation processes these sequences as structural control characters. This enables the termination of the initial HTTP request and the initiation of a secondary, smuggled request within the same TCP connection.

The vulnerability remediation required strict structural validation of all HTTP header values. The patch introduced a new validation function assertValidHeaderValue within lib/core/AxiosHeaders.js. This function systematically evaluates headers for structural integrity before transmission.

The patched implementation replaces the flawed trailing-character replacement with a strict rejection mechanism. The function utilizes the regular expression !/[\r\n]/.test(value) to identify any internal or trailing carriage return or line feed characters.

// Patched Implementation in lib/core/AxiosHeaders.js
function assertValidHeaderValue(value) {
  if (typeof value !== 'string') {
    value = String(value);
  }
  // strict validation against internal CRLF sequences
  if (/[\r\n]/.test(value)) {
    throw new Error('Invalid character in header content');
  }
  return value;
}

For the legacy 0.x branch, maintainers implemented a character whitelisting approach via sanitizeHeaderValue. This function actively removes characters outside the permitted ASCII range using the regex /[^\x09\x20-\x7E\x80-\xFF]/g. These combined approaches ensure that smuggled requests cannot be constructed via prototype pollution.

Exploitation of CVE-2026-40175 requires a multi-stage attack chain. The attacker must first identify and exploit a prototype pollution vulnerability within the target application. This initial vulnerability typically resides in a third-party dependency such as lodash, qs, or serialize-javascript that insecurely parses user input.

Once the prototype is polluted, the attacker injects a malicious property targeting the Axios configuration. The payload contains structural HTTP control characters (\r\n) followed by a completely independent HTTP request.

// Step 1: Pollute the prototype (Source)
Object.prototype['x-smuggled-header'] = 'ignore\r\n\r\nPUT /latest/api/token HTTP/1.1\r\nHost: 169.254.169.254\r\nX-aws-ec2-metadata-token-ttl-seconds: 21600\r\n\r\n';
 
// Step 2: Trigger any Axios request (Gadget)
const axios = require('axios');
axios.get('https://example.com');

When the application executes any standard Axios request, the underlying socket receives the original request immediately followed by the smuggled request. This technique allows attackers to dictate the HTTP verb, target URI, and specific headers of the secondary request. It entirely bypasses application-level SSRF filters that restrict PUT requests or specific target IPs.

The CVSS v3.1 score of 10.0 reflects the critical nature of this vulnerability when successfully chained. The primary impact is the bypass of SSRF protections and subsequent interaction with internal network services. The most common target is the AWS IMDSv2 metadata endpoint.

IMDSv2 mitigates standard SSRF attacks by requiring a PUT request containing a specific header (X-aws-ec2-metadata-token-ttl-seconds) to retrieve a session token. Traditional GET-based SSRF vulnerabilities cannot satisfy these requirements. Request smuggling via Axios provides the exact primitive necessary to construct this PUT request.

Successful extraction of the IMDSv2 token grants the attacker temporary AWS credentials associated with the EC2 instance role. This escalation path transforms a restricted server-side vulnerability into full infrastructure compromise, allowing lateral movement, data exfiltration, or resource manipulation within the cloud environment.

The primary remediation for CVE-2026-40175 is upgrading the Axios library to a patched version. Applications utilizing the 1.x branch must upgrade to version 1.15.0 or later. Systems operating on the legacy 0.x branch require an upgrade to version 0.31.0.

Upgrading the library addresses the gadget phase of the attack chain. However, comprehensive remediation requires addressing the initial prototype pollution vulnerability. Security teams must perform dependency audits using tools like npm audit to identify and update packages responsible for insecure object parsing.

In environments where immediate patching is not technically feasible, operators can deploy Web Application Firewall (WAF) rules. These rules should inspect incoming requests for URL-encoded CRLF characters (%0d%0a) in unusual parameter locations. Additionally, applications can utilize Object.freeze(Object.prototype) to prevent prototype pollution at the runtime level, though this may cause compatibility issues with legacy frameworks.