VIR Vulnerability Intelligence Relay

CVE-2026-40175

medium
Published 2026-04-10 · Modified 2026-05-20
CVSS v3
4.8
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
CVSS v2
VIR risk
4.8

Description

Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain

Predictions

Exploit likelihood
58%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2026-40175

vendor Authored 2026-05-27

Vendor advisory: af854a3a-2127-422b-91ae-364da2661108 — https://github.com/axios/axios/pull/10660#issuecomment-4224168081

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/axios/axios/security/advisories/GHSA-fvcv-3m26-pcqx

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/axios/axios/releases/tag/v1.15.0

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/axios/axios/releases/tag/v0.31.0

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/axios/axios/pull/10688

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/axios/axios/pull/10660

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/axios/axios/commit/363185461b90b1b78845dc8a99a1f103d9b122a1

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c

OS impact
OSVersionStatusFixed in
debian debianbookwormaffected
debian debianbullseyeaffected
debian debianforkyfixed1.15.0-1
debian debiansidfixed1.15.0-1
debian debiantrixieaffected

Package impact
EcosystemPackageVulnerableFixed
npm npmaxios>=1.0.0,<1.15.01.15.0
npm npmaxios<0.31.00.31.0
npm NPMaxios< 0.31.00.31.0
npm NPMaxios>= 1.0.0, < 1.15.01.15.0

Application impact
VendorProductVersionsFixed
axiosaxios{"endExcluding":"0.31.0"}0.31.0

References

CWEs

CWE-113 CWE-444 CWE-918

Verify integrity in audit chain (admin only). AS-IS.