Vulnerability Description
Axios is a promise based HTTP client for the browser and Node.js. Versions prior to 1.15.0 and 0.3.1 are vulnerable to a specific gadget-style attack chain in which prototype pollution in a third-party dependency may be leveraged to inject unsanitized header values into outbound requests. This vulnerability is fixed in 1.15.0 and 0.3.1.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Axios | Axios | < 0.31.0 |
Related Weaknesses (CWE)
References
- https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9cPatch
- https://github.com/axios/axios/commit/363185461b90b1b78845dc8a99a1f103d9b122a1Patch
- https://github.com/axios/axios/pull/10660Issue TrackingPatch
- https://github.com/axios/axios/pull/10688Patch
- https://github.com/axios/axios/releases/tag/v0.31.0Release Notes
- https://github.com/axios/axios/releases/tag/v1.15.0ProductRelease Notes
- https://github.com/axios/axios/security/advisories/GHSA-fvcv-3m26-pcqxExploitMitigationVendor Advisory
- https://github.com/axios/axios/pull/10660#issuecomment-4224168081Issue TrackingPatch
- https://cert-portal.siemens.com/productcert/html/ssa-876049.html
FAQ
What is CVE-2026-40175?
CVE-2026-40175 is a vulnerability with a CVSS score of 4.8 (MEDIUM). Axios is a promise based HTTP client for the browser and Node.js. Versions prior to 1.15.0 and 0.3.1 are vulnerable to a specific gadget-style attack chain in which prototype pollution in a third-part...
How severe is CVE-2026-40175?
CVE-2026-40175 has been rated MEDIUM with a CVSS base score of 4.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-40175?
Check the references section above for vendor advisories and patch information. Affected products include: Axios Axios.