CVE-2026-40175 – axios
CVSS 4.8
MODERATE
Critical or Zero Day – Immediate Deployment
“HTTP client weaknesses can turn trusted outbound requests into attacker-controlled traffic paths.”
Axios patched three vulnerabilities affecting proxy handling, header injection behavior, and prototype pollution gadget exposure. CVE-2026-42043 has a CVSS score of 7.2, which is High severity. CVE-2026-40175 has a CVSS score of 4.8, which is Medium severity. CVE-2026-42264 has a CVSS score of 7.4, which is High severity.
The vulnerabilities could allow NO_PROXY bypass, unsafe outbound request manipulation, header injection, or polluted configuration values being applied to HTTP requests. Proof-of-concept code has been reported for all three vulnerabilities.
Key Details
- Affected Product
- Axios Axios
- Attack Vector
- Network
- Attack Complexity
- High
- Privileges Required
- None
- User Interaction
- None
- CWE Classification
- CWE-113
Patch this CVE on all your endpoints in under 5 minutes.
First 200 endpoints are free forever, scale as needed.