HTTP Response Splitting Affecting axios package, versions <1.15.0
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-AXIOS-15969258
- published10 Apr 2026
- disclosed10 Apr 2026
- creditraulvdv
Introduced: 10 Apr 2026
NewCVE-2026-40175 (opens in a new tab)How to fix?
Upgrade axios to version 1.15.0 or higher.
Overview
axios is a promise-based HTTP client for the browser and Node.js.
Affected versions of this package are vulnerable to HTTP Response Splitting via the merged HTTP header values received from third-party libraries. This can allow a chain attack from prototype pollution in dependencies escalate to remote code execution or full cloud environment compromise. An attacker can execute arbitrary code or access sensitive cloud metadata by injecting malicious headers with CRLF values.
Note:
This issue can be exploited only as part of a chained attack and requires successful Prototype Pollution in any third-party dependency.