CVE-2026-40175 Exploit & Vulnerability Analysis

1. Vulnerability Background

CVE-2026-40175 is a high-impact vulnerability affecting Axios versions prior to 1.15.0 and 0.3.1. Axios is a widely used promise-based HTTP client for browsers and Node.js, and this issue is notable because it allows a prototype pollution condition in any third-party dependency to be escalated through Axios into far more severe outcomes.

Why it is critical:

• Prototype pollution is a dangerous class of JavaScript vulnerability because it changes the behavior of otherwise benign object operations.
• In this case, the vulnerability is part of a gadget chain that can turn prototype pollution into remote code execution (RCE).
• The exploit path also includes the possibility of full cloud compromise via AWS IMDSv2 bypass, making it especially dangerous for cloud-hosted Node.js applications.

Affected systems/versions:

• Axios versions older than 1.15.0
• Axios legacy branch versions older than 0.3.1
• Both browser and Node.js applications that depend on these versions, especially when combined with a third-party dependency already vulnerable to prototype pollution

2. Technical Details

Root cause analysis:

• The patch diff shows two distinct unsafe patterns in docs/scripts/process-sponsors.js:

  1. buildLinks accepted arbitrary URLs and normalized them without validating the URL scheme.
  2. sponsorsByTier was initialized as a normal object literal ({}) and populated using attacker-controlled keys derived from sponsor.tier.

• The first flaw means new URL(url) could process javascript:, data:, or other non-HTTP schemes and then return a normalized value. In contexts where this value is later used in HTML or as a redirect target, it can lead to unsafe behavior.

• The second flaw is classic prototype pollution territory. When dynamic keys are indexed into a plain object, keys like __proto__, constructor, or inherited property names can collide with the object prototype. This can lead to unexpected property resolution and can be used as part of a gadget chain to poison object behavior.

Attack vector and exploitation conditions:

• An attacker needs a way to influence the inputs processed by Axios or the surrounding application logic.
• In the sample patched code, the attacker-controlled data would be:
  • a sponsor URL passed to buildLinks
  • a sponsor tier value used as an object key in sponsorsByTier
• The real-world escalation relies on a third-party dependency already allowing prototype pollution; Axios’s unsafe handling makes that pollution exploitable in a higher-impact way.

Security implications:

• If a vulnerable application uses Axios in a code path that processes untrusted data, an attacker can potentially escalate a prototype pollution bug into RCE.
• In cloud deployments, compromise can go further by abusing the gadget chain to bypass AWS IMDSv2 protections and retrieve instance credentials.

3. Patch Analysis

What code changes were made:

• In buildLinks, the patched code adds a protocol allowlist:
  • only http: and https: are accepted after parsing the URL
  • any other protocol causes the function to return null
• The catch block was also hardened to return null instead of the original URL.
• In sponsor aggregation logic, sponsorsByTier initialization changed from:
  • const sponsorsByTier = {}; to:
  • const sponsorsByTier = Object.create(null);

How these changes fix the vulnerability:

• URL scheme validation prevents attacker-supplied non-HTTP URLs from being treated as safe output. This closes an injection/redirect/unsafe URL path that could otherwise be used in exploitation.
• Using Object.create(null) removes the standard object prototype from sponsorsByTier. This means arbitrary keys are stored as pure data and cannot collide with inherited prototype properties such as __proto__, constructor, toString, etc.

Security improvements introduced:

• Failing closed on invalid or unsafe URL inputs.
• Removal of prototype inheritance from an object used as a dynamic key map.
• Elimination of a class of prototype pollution vectors from the affected code path.

4. Proof of Concept (PoC) Guide

Prerequisites for exploitation:

• A vulnerable Axios build or environment using Axios <1.15.0 / <0.3.1
• Control over data that reaches the vulnerable processing code, specifically:
  • sponsor URLs
  • sponsor tier strings

Step-by-step exploitation approach:

1. Prototype pollution vector:

   • Supply a sponsor entry with a tier value such as __proto__, constructor, or toString.
   • Let the code process sponsorsByTier[sponsor.tier] ||= [] on a plain object.
   • Because sponsorsByTier inherits from Object.prototype, this can interact badly with prototype properties and allow unexpected behavior.

2. URL scheme vector:

   • Supply a sponsor URL like javascript:alert(1) or data:text/plain,hello.
   • The vulnerable buildLinks function will accept it, create a URL object, append UTM parameters, and return the normalized string.
   • The result is an unsafe URL that may be reflected or used in the application.

Expected behavior vs exploited behavior:

• Expected:
  • Only http and https links are accepted and rewritten.
  • Sponsor tier keys are stored in a pure map without prototype consequences.
• Exploited:
  • Non-http schemes are accepted, allowing dangerous URLs to be emitted.
  • Special tier keys can collide with the prototype, leading to prototype pollution or broken application logic.

How to verify the vulnerability exists:

• For URL validation:

  • Run buildLinks('javascript:alert(1)') against the vulnerable code.
  • If it returns a string starting with javascript:, the unsafe behavior is present.
  • After patch, it should return null.

• For prototype pollution:

  • Run the sponsor aggregation with a tier value like __proto__ or toString.
  • If the code uses a normal object, the behavior will differ from a prototype-less map and may fail to create the intended bucket or may expose inheritance collisions.
  • After patch, Object.create(null) ensures such keys are handled safely as plain data.

5. Recommendations

Mitigation strategies:

• Upgrade Axios to at least 1.15.0 or 0.3.1.
• If immediate upgrade is not possible, audit application code for untrusted URL handling and dynamic object property assignment.
• Treat user-controlled strings used as object keys as untrusted input and avoid mapping them into plain objects with inherited prototypes.

Detection methods:

• Scan dependencies for axios versions <1.15.0 / <0.3.1.
• Static code analysis for:
  • new URL(...) used without validating the protocol
  • dynamic object keys on object literals ({}) when the key originates from external input
• Runtime tests that exercise malicious values such as javascript: URLs and prototype property names.

Best practices to prevent similar issues:

• Use allowlists for URL schemes and reject anything outside http/https in contexts where only web URLs are expected.
• Use Object.create(null) or Map for dynamic maps keyed by untrusted values.
• Avoid ||= or similar assignment patterns on objects that may have inherited properties if keys are attacker-controlled.
• Harden JavaScript code against prototype pollution by validating and canonicalizing input at the boundary.
• Monitor the dependency chain for gadget-chain vulnerabilities, not just direct package issues, since prototype pollution often requires a multi-stage exploitation path.