Axios Has a CVSS 10 Bug, Risks "Full Cloud Compromise"

Axios has become a de‑facto standard for HTTP requests in JavaScript, with billions of downloads and integration into most cloud‑native stacks. Its ubiquity means a single flaw can ripple across a vast attack surface, and the CVSS 10 rating places this issue among the most severe software vulnerabilities seen in recent years. While the recent supply‑chain breach drew headlines, this separate header‑sanitization bug highlights how even well‑maintained open‑source components can harbor critical weaknesses that go unnoticed until a dedicated security audit surfaces them.

The technical chain of exploitation relies on prototype pollution in any library that merges configuration objects with Axios. When an attacker injects malicious properties into Object.prototype, Axios silently incorporates them during its header merge, and because it fails to strip CRLF characters, the payload becomes a request‑smuggling vector. By directing the smuggled request to the AWS Instance Metadata Service (IMDSv2), an adversary can retrieve temporary credentials and achieve full cloud compromise without needing direct user input. This method effectively turns a benign HTTP client into a powerful post‑exploitation gadget, underscoring the danger of unchecked header handling in widely used libraries.

Mitigation is straightforward: upgrade to Axios v1.15.0 or later, which now validates headers for CRLF sequences and aborts malformed requests. Organizations should prioritize patch deployment across all services, especially those running on AWS, and employ runtime monitoring to detect anomalous internal HTTP calls. The episode also serves as a reminder for developers to audit third‑party dependencies for prototype‑pollution vectors and to enforce strict input sanitization. In an era where supply‑chain attacks are increasingly common, maintaining a rapid response process for open‑source vulnerabilities is essential to protect cloud infrastructure and preserve trust in the software ecosystem.