Axios Prototype Pollution Vulnerability Leading to Remote Code Execution and Cloud Compromise

A vulnerability in the Axios library, prior to version 1.15.0, allows for prototype pollution that can be exploited to achieve remote code execution (RCE) or full cloud compromise, particularly through an AWS metadata service bypass. This issue arises from a lack of proper sanitization of HTTP header values, enabling polluted properties to be injected as request headers. When combined with Axios's default capabilities for server-side request forgery (SSRF), this creates a critical security risk.

Impact

Exploitation of this vulnerability bypasses AWS's IMDSv2 security controls, allowing an attacker to exfiltrate sensitive metadata, including IAM credentials, and potentially compromise the associated cloud account.

Reproduction

To reproduce this vulnerability, first, introduce prototype pollution through a third-party library that lacks proper input validation. Once the pollution is established, Axios can be used to send a request that includes the polluted header as part of the HTTP request. Axios will merge the polluted property into the request headers and send it to the server without validation. This injected header can then be used to exploit AWS's metadata service, bypassing its security measures and allowing access to sensitive information.

Remediation

Users are advised to update to Axios version 1.15.0 or later, where this vulnerability has been patched.