CVE-2026-40175 in Axios is rated critical (10/10) and described as enabling AWS credential theft via a prototype pollution → CRLF injection → SSRF → IMDSv2 bypass chain. However, the vulnerability is not realistically exploitable in standard Node.js environments because Node.js has blocked CRLF characters in HTTP headers at the runtime level for years. This was confirmed by the original researcher, who noted the same protection applies in Bun and Deno. The underlying library-level issue is real and patching to Axios ≥ 1.15.0 is recommended, but the critical rating reflects worst-case theoretical chaining rather than practical exploitability. Exploitation would require a custom Axios adapter that bypasses Node's HTTP client entirely.
Table of contents
What the CVE ClaimsWhat actually happens in Node.jsWe verified this with the researcherWhy the CVE still existsWhat about the IMDSv2 bypass?Why this was rated criticalWhat developers should actually doSort: