Axios v1.15.0 Security Update Patches Critical RCE & Cloud Metadata Exfiltration Vulnerability (CVE-2026-40175)

A critical security vulnerability in the widely-used Axios HTTP client library has been patched, exposing a severe attack chain that could allow attackers to escalate prototype pollution in third-party dependencies into full remote code execution (RCE) or unrestricted cloud metadata exfiltration. The flaw, tracked as CVE-2026-40175, stems from a header injection vulnerability that creates a 'gadget' attack vector, enabling malicious actors to bypass security boundaries and access sensitive cloud infrastructure metadata.

The vulnerability was present in Axios versions prior to 1.15.0. The update from version 1.13.6 to 1.15.0 specifically addresses this security advisory. The attack chain is particularly dangerous because it does not require a direct flaw in Axios itself; instead, it weaponizes prototype pollution vulnerabilities that may exist elsewhere in an application's dependency tree. This creates a secondary exploitation path, turning a lower-severity issue in a separate package into a critical system compromise.

The patch is now being pushed as a high-priority dependency update across the software ecosystem via automated tools like Renovate. Developers and security teams are urged to immediately update any project using Axios to version 1.15.0 or later. The disclosure highlights the systemic risk in modern software supply chains, where a vulnerability in a foundational library like Axios—used by millions of applications for network requests—can act as an amplifier for other security weaknesses, leading to potential cloud account takeover and data breaches.