VULNERABILITY
CVE-2026-40175 in Axios: Critical (CVSS 10.0) Header Injection Vulnerability Disclosed
- A critical (CVSS 10.0) header injection vulnerability in the Axios HTTP client library, CVE-2026-40175, can be chained with a proxy bypass (CVE-2025-62718) to enable Server-Side Request Forgery (SSRF) and cloud metadata exfiltration.
- CONFIRMED: No active exploitation observed. The vulnerability is not listed on CISA's KEV. The EPSS score is low (0.403%), indicating a low probability of exploitation in the next 30 days despite the critical CVSS score.
- Immediate action is to identify all server-side applications utilizing the Axios library and prepare for patching. Monitor for vendor advisories and patch releases.
Technical Analysis
The vulnerability, identified as CVE-2026-40175, is a header injection flaw within the Axios HTTP client library. According to the initial report from Microsoft, this can lead to unrestricted cloud metadata exfiltration. This flaw appears to be part of an attack chain involving CVE-2025-62718, which is described as a `NO_PROXY` hostname normalization bypass. The inferred attack path begins with an attacker leveraging the normalization bypass to circumvent proxy configurations, resulting in a Server-Side Request Forgery (SSRF) condition. Subsequently, the attacker can use the header injection vulnerability to craft malicious requests to internal network resources, with a primary focus on cloud instance metadata services (e.g., AWS IMDS, Azure IMDS). Successful exploitation would allow an unauthenticated, remote attacker to exfiltrate sensitive data, including temporary cloud credentials, from the underlying server infrastructure.
Affected Systems
- Axios (specific vulnerable versions not provided in source intelligence)
Intelligence Context
The threat picture for CVE-2026-40175 presents a significant conflict between severity and probability. The CVSS 10.0 score reflects the maximum theoretical impact, likely due to the risk of complete information disclosure via cloud credential theft without authentication. However, this is sharply contrasted by the low EPSS score of 0.403%, which predicts a very low likelihood of exploitation in the wild within the next 30 days. The intelligence is currently single-sourced from Microsoft (msrc.microsoft.com) and is not yet listed in CISA's KEV, corroborating the absence of observed exploitation campaigns. This profile suggests a vulnerability that, while technically severe, may require specific, non-default configurations or complex preconditions to exploit, reducing its immediate attractiveness to attackers. For defenders, this warrants prioritizing asset discovery and monitoring over emergency, out-of-band patching.
Remediation & Defense
- Implement strict, allow-list-based validation on all user-supplied input used to construct URLs or headers in server-side Axios requests.
- Utilize network egress filtering to block or log all requests from application servers to known cloud metadata service IP addresses (e.g., 169.254.169.254).
- Monitor for outbound HTTP requests from application servers to unexpected internal destinations, particularly cloud metadata endpoints.
- Inspect application logs for evidence of malformed URLs or unusual headers in requests initiated by the Axios library.
Source Timeline
- msrc.microsoft.com โ First reporter
- nvd.nist.gov โ Official CVE record