Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain

Description

No description available.

Recommendation

Update the axios package to the latest compatible version. Followings are version details:

• Affected version(s): **< 0.31.0

  >= 1.0.0, < 1.15.0**

• Patched version(s): **0.31.0

  1.15.0**

References

• GHSA-fvcv-3m26-pcqx
• cert-portal.siemens.com
• CVE-2026-40175
• CWE-113
• CWE-444
• CWE-918
• CAPEC-310
• OWASP 2021-A10
• OWASP 2021-A3
• OWASP 2021-A4
• OWASP 2021-A6

Related Issues

• Astro has Full-Read SSRF in error rendering via Host: header injection - CVE-2026-25545
• Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution - CVE-2026-30939
• parse-server has cloud function validator bypass via prototype chain traversal - CVE-2026-34532
• SillyTavern has Authentication Bypass via SSO Header Injection - CVE-2026-44649

You might also like:

How do hackers hack websites?

Host Header Injection and Python Tests with SmartScanner 1.11

Update Cheat Sheet for Developers

Tags:

npm

axios