Axios CVE-2026-40175: a critical bug that’s… not exploitable

It’s been a chaotic few weeks for Axios.

First, a major supply chain attack put the package under scrutiny. Then, just days later, headlines started appearing about a “critical 10/10 vulnerability” that could lead to full cloud compromise.

If you’ve read the coverage, you’ve probably seen claims like:

• “attackers can steal AWS credentials”
• “IMDSv2 bypass”
• “remote code execution chain”

That sounds bad.

But when you look closely at how this vulnerability actually behaves in real environments, the story changes.

After analyzing the exploit chain and validating behavior with Raul Vega Del Valle,  the researcher who reported the issue, one thing becomes clear:

In standard Node.js environments, this vulnerability is not realistically exploitable. 

The reason is simple: the attack depends on injecting malformed headers, something Node.js has already blocked at the runtime level for years.

That doesn’t mean the CVE is wrong. The underlying issue in Axios is real, and patching it was the right call. But the idea that this leads to easy cloud compromise in production doesn’t hold up under scrutiny. In practice, exploitation would require very obscure conditions, such as a custom adapter that bypasses Nodes header validation.

What the CVE Claims

CVE-2026-40175 is described as a “gadget chain” vulnerability:

1. Prototype pollution in a dependency
2. Axios picks up polluted values
3. CRLF header injection
4. Request smuggling / SSRF
5. AWS IMDSv2 bypass
6. Credential theft → cloud compromise

In theory, it looks like this:

// Prototype pollution somewhere else
Object.prototype['x-amz-target'] =
 "dummy\r\n\r\nPUT /latest/api/token HTTP/1.1\r\n" +
 "Host: 169.254.169.254\r\n" +
 "X-aws-ec2-metadata-token-ttl-seconds: 21600\r\n\r\nGET /ignore";

// Normal application code
axios.get("https://internal.service");

Axios merges config → picks up polluted headers → sends a malicious request.

That’s the theory.

What actually happens in Node.js

The problem is: this chain breaks in real-world environments.

Axios uses Node’s built-in HTTP client under the hood:

http.request(...)

And Node.js has rejected CRLF characters in headers for years.

If you try:

http.request({
 headers: {
   "x-test": "hello\r\nInjected: yes"
 }
});

You’ll get:

TypeError [ERR_INVALID_CHAR]: Invalid character in header content

‍

That happens before any request is sent.

So the core primitive the exploit depends on — CRLF header injection — is already blocked at the runtime level.

We verified this with the researcher

To validate this, we spoke directly with the researcher who reported the vulnerability, Raul Vega Del Valle.

His conclusion aligns with what we observed:

• Node.js blocks CRLF header injection
• The same behavior occurs in Bun and Deno
• As a result, the attack chain is not realistically reachable in standard environments

In Raul’s words:

“In a real world application… it should not happen… Node, Bun or Deno just block the CRLF.”

He also confirmed that:

“It should not be possible in real production applications.” 

That’s a critical nuance missing from most coverage.

Why the CVE still exists

So if it’s not exploitable in practice, why is this a CVE?

Because the issue is real at the library level.

Axios previously allowed unsafe header values. Even if the runtime blocks them, the library itself didn’t enforce that constraint.

As the researcher explained:

“It is real on the library level, although it is not on the interpreter level,” says Raul Vega Del Valle

There is also an edge case worth mentioning for completeness. Axios allows developers to override how requests are sent using a custom adapter. Instead of relying on Node’s built-in http.request, a custom adapter could manually construct and send HTTP requests.

In theory, if an application:

• uses a custom Axios adapter
• bypasses Node’s HTTP client entirely
• and writes raw requests directly to sockets

then header validation could also be bypassed. In that scenario, CRLF injection might become possible again.

That said, this requires non-standard usage and deliberate opt-out of built-in protections. It does not apply to typical Node.js applications using Axios out of the box.

What about the IMDSv2 bypass?

This is the most hyped part of the story and the least grounded in reality.

Yes, the advisory shows a request like:

‍

PUT /latest/api/token
Host: 169.254.169.254
X-aws-ec2-metadata-token-ttl-seconds: 21600

‍

But to get there, an attacker needs:

• prototype pollution
• CRLF injection
• request smuggling
• no runtime validation

In Node.js, that chain breaks early.

Even the researcher noted that IMDSv2 bypass is not realistically achievable in this setup, though he mentioned IMDSv1 might be worth further investigation.

‍

Why this was rated critical

The “10/10” rating comes from worst-case chaining potential, not typical exploitability.

If you assume:

• prototype pollution is possible
• headers can be injected
• internal services are reachable
• metadata endpoints are exposed

Then yes, the impact could be severe.

But that’s a lot of assumptions layered together.

What developers should actually do

This isn’t a “drop everything” situation, but it’s not something to ignore either.

You should:

• Upgrade to Axios ≥ 1.15.0
• Audit your dependencies for prototype pollution risks
• Review SSRF exposure and network access
• Avoid relying on runtime protections alone

Focus on the real attack surface, not just the CVE headline.

‍