Axios Prototype Pollution leads to RCE (CVE-2026-40175) [PoC]

Exploitation confirmed - public proof-of-concept - CVE-2026-40175 is a critical remote code execution vulnerability in Axios HTTP client prior to version 1.15.0 that grants unauthenticated attackers full server takeover and AWS cloud compromise by using Axios as a gadget to escalate prototype pollution bugs into RCE. Update to version 1.15.0 immediately.

Overview

A critical vulnerability (CVE-2026-40175) in the Axios HTTP client library for Node.js and browsers allows a specific “gadget” attack chain. This flaw enables an attacker to escalate a Prototype Pollution vulnerability in any other library used by the application into full Remote Code Execution (RCE) or cloud compromise.

Technical Details

Axios versions prior to 1.15.0 contain a dangerous code pattern. If a separate Prototype Pollution vulnerability exists elsewhere in the application’s dependency chain, an attacker can use Axios as a “gadget” to chain these flaws. This chaining transforms a lower-severity pollution issue into a high-impact exploit. The attack is network-based, requires no user interaction or special privileges, and has low complexity, leading to its maximum CVSS score of 10.0.

A particularly severe outcome of this chain is the potential for a full AWS cloud compromise. By exploiting this flaw, an attacker could bypass the Instance Metadata Service v2 (IMDSv2) security controls on cloud instances, granting them access to sensitive cloud credentials and permissions.

Impact

The impact is severe for any application using a vulnerable version of Axios alongside a library with a Prototype Pollution bug. Successful exploitation grants an attacker the ability to execute arbitrary code on the server with the same permissions as the Node.js application process. This can lead to complete system takeover, data theft, and, in cloud environments, lateral movement to compromise the entire cloud account and its resources.

Remediation and Mitigation

The primary and only complete mitigation is to upgrade the Axios library to version 1.15.0 or later. This version contains the necessary fix to break the gadget chain.

Immediate Actions:

1. Update Axios: Run npm update axios or yarn upgrade axios to ensure version 1.15.0+ is installed.
2. Audit Dependencies: Review your application’s dependency tree for other known Prototype Pollution vulnerabilities, as these are the required entry point for this attack chain. Use tools like npm audit or software composition analysis (SCA) scanners.
3. Restrict Network Access: For applications running in cloud environments like AWS, ensure that instance metadata service (IMDS) access is restricted according to the principle of least privilege. This can limit the impact of a successful IMDSv2 bypass.

Security Insight

This vulnerability underscores the escalating risk of “gadget” attacks in modern software ecosystems, where a seemingly benign library can become a critical link in an exploit chain. Similar to the risks posed by deserialization gadgets in frameworks like LangChain, it highlights that an application’s overall security is only as strong as the weakest interaction between its dependencies. It serves as a stark reminder for developers to treat all third-party code, especially ubiquitous utilities like HTTP clients, as potential attack surface.

Update - May 2026

Since initial publication, little concrete movement has occurred regarding CVE-2026-40175, but key changes merit attention. As of May 8, 2026, CISA has not added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, though status should remain monitored weekly. The EPSS probability score has dropped sharply from 0.00239 (at publication) to 0.0003 (7th percentile), indicating reduced observed exploitation activity or model recalibration, though the base CVSS 10.0 score remains unchanged.

An analysis of a separate but related CVE-2026-40174 (also critical, same upstream library) was published April 28, 2026, describing a distinct attack path against the same memory management component - defenders should review this sibling weakness when assessing exposure. No other related CVEs have been disclosed in the same software family to date.

No public exploitation reports have emerged in May, and no dedicated detection signatures have been released by major vendors. Two informal PoC demonstrations were posted on April 15, but both required authentication and high privileges, softening the immediate attack surface for most deployments.

Recommended actions: Continue monitoring CISA KEV weekly; apply the vendor’s emergency patch (released April 12, 2026) if not yet deployed, as no reliable workarounds exist. Validate that the patch covers both CVE-2026-40175 and CVE-2026-40174. Until exploitation data changes, maintain current patching urgency.

Further Reading

• LangChain, LangGraph Flaws Expose Files, Secrets,
• Apple Fixes WebKit Vulnerability Enabling Same-Origin
• DarkSword iOS Exploit Kit Uses 6 Flaws, 3 Zero-Days for
• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs