What is Axios?
Axios is a JavaScript library intended to ease interaction with internet HTTP services. It is used by some organizations to simplify their codebase compared to using standard browser functionality.
What is the vulnerability?
Prior to version 1.15.0, the Axios library is vulnerable to a specific "Gadget" attack chain that allows Prototype Pollution in any third-party dependency to be escalated into Remote Code Execution (RCE) or Full Cloud Compromise (via AWS IMDSv2 bypass).
Ref: https://nvd.nist.gov/vuln/detail/CVE-2026-40175
Has the vulnerability been fixed?
This vulnerability has been fixed in 1.15.0.
What are WithSecure’s recommendations for partners and customers?
We recommend partners and customers who use Axios act immediately to ensure their systems are not vulnerable.
WithSecure Exposure Management can detect and notify partners and customers that they have a vulnerable version.
Detection for vulnerable versions is available in unauthenticated scanning, and we are investigating the possibility to detect them on hosts via authenticated scans
What is the status of WithSecure systems in relation to this vulnerability?
WithSecure has thoroughly checked its own systems, and has confirmed that all services using Axios are using the latest version which is not vulnerable.
Are any WithSecure products affected?
WithSecure Policy Manager does contain a vulnerable version of the Axios library, and we have created a hotfix for this issue. We advise all our Business Suite partners and customers to apply this hotfix at the earliest opportunity.
The risk can further be mitigated by ensuring that Policy Manager’s Web Reporting interface is not accessible from the internet. This can be done with external firewall configurations.
The hotfix can be downloaded from the WithSecure Download Center.