Axios CVSS 10 Header Injection Exfiltrates Cloud IAM Creds

◆ DEEP DIVES

1. 01

   Seven Critical CVEs Hit Your Stack Simultaneously — Axios 10.0 Is the Worst, But Not the Only Emergency

   <p>This week's SANS advisory contains what may be the most concentrated blast of critical dependency vulnerabilities in recent memory. <strong>At least seven CVEs scoring 9.1 or above</strong> landed in the same advisory cycle, all targeting libraries that sit in most production stacks. The sheer volume means your dependency update sprint just became your top priority.</p><h3>Axios: The Headliner Is Worse Than It Sounds</h3><p>CVE-2026-40175 scored a <strong>perfect CVSS 10.0</strong> — cloud metadata exfiltration via header injection chain. The critical detail: this isn't URL-based SSRF where your existing URL-validation middleware would catch it. It's a <em>header injection</em> attack — attacker-controlled input ends up in HTTP headers, which can redirect requests to the cloud instance metadata service (169.254.169.254). Your URL allowlists are useless here. If you're running Node.js services on EC2/GCE/Azure VMs that make outbound HTTP calls via Axios — which is essentially every Node.js microservice — an attacker can steal your IAM role credentials.</p><blockquote>Immediate mitigation beyond patching: enforce IMDSv2 with a hop limit of 1 on every cloud instance. IMDSv2 requires a PUT request to get a token, which header injection typically cannot perform. This should be your baseline — but most teams still have instances running IMDSv1.</blockquote><h3>The Full Cascade</h3><table><thead><tr><th>CVE Target</th><th>CVSS</th><th>Impact</th></tr></thead><tbody><tr><td>Axios (Node.js)</td><td>10.0</td><td>Cloud credential theft via header injection</td></tr><tr><td>Django admin</td><td>9.8</td><td>Authorization bypass on inline model instances</td></tr><tr><td>pgx/v5 (Go Postgres)</td><td>9.8</td><td>Two memory-safety vulns in wire protocol parser</td></tr><tr><td>Go toolchain (SWIG)</td><td>9.8</td><td>Code execution in cmd/go</td></tr><tr><td>OAuth2 Proxy</td><td>9.1</td><td>Auth bypass — common K8s auth pattern</td></tr><tr><td>Apache Tomcat</td><td>9.1</td><td>CLIENT_CERT bypass across 3 major releases</td></tr><tr><td>Apache Airflow 3.1</td><td>9.1</td><td>JWT tokens not invalidated on logout</td></tr></tbody></table><h3>Cross-Source Pattern: The Exploit Window Is Compressing</h3><p>Multiple sources converge on the same warning: vulnerability-to-weaponization timelines are now measured in <strong>hours, not weeks</strong>. Anthropic's Claude Mythos reportedly achieves 72.4% exploit generation success vs &lt;1% for prior models. Even at half that number, a 36% automated exploit rate fundamentally changes the economics. Meanwhile, Adobe Acrobat's RCE zero-day was <strong>exploited in the wild for 4+ months</strong> before being patched — discovered by researcher Haifei Li's EXPMON system, not Adobe's own processes. The Windows TCP/IP race condition (CVE-2026-33827) is network-exploitable without authentication — race conditions in network stacks historically become worms.</p><p><em>Your 30-day patch cycle now means 29 days of exposure with a weaponized exploit in the wild.</em> The practical response: get critical-CVE remediation below 7 days, and invest in auto-merge for patch versions that pass CI.</p>

   Action items

   • Audit all services for Axios dependency and upgrade immediately; verify IMDSv2 with hop limit of 1 on every cloud instance
   • Patch Django to 6.0.4/5.2.13/4.2.30, upgrade pgx/v5, and upgrade OAuth2 Proxy to 7.15.2 by end of week
   • Patch Adobe Acrobat/Reader across all machines and any PDF-processing pipelines
   • Reduce critical-CVE remediation SLA to 7 days and implement Renovate/Dependabot with auto-merge for patch versions passing CI

   Sources:Axios CVSS 10.0 cloud metadata exfil — check your Node.js deps before attackers do · Your GitHub Actions workflows are exploitable via 3 distinct attack classes — here's the Wiz threat model and exact fixes · Claude Code now orchestrates parallel agents across repos — your AI-assisted workflow just changed

2. 02

   Your AWS Incident Response Is Broken — Only SCPs Survive, and CodeBuild Leaks Your Entire GitHub Org

   <h3>Every Standard Containment Method Fails</h3><p>The <strong>'notyet' tool</strong> from Sonrai Security and OFFENSAI exploits AWS IAM's eventual consistency propagation window — the brief period between when you make an IAM change and when it's fully enforced across all endpoints. During this window, the attacker's automation <strong>detects your containment action and reverses it</strong> before it takes effect.</p><p>The researchers tested every standard AWS-recommended containment method:</p><ul><li>Inline policy deletion — <strong>bypassed</strong></li><li>Managed policy modifications — <strong>bypassed</strong></li><li>Permission boundary attachments — <strong>bypassed</strong></li><li>Group membership changes — <strong>bypassed</strong></li><li>Access key deactivation — <strong>bypassed</strong></li><li>Role deletion — <strong>bypassed</strong></li><li>The official AWSSupport-ContainIAMPrincipal SSM runbook — <strong>bypassed</strong></li></ul><blockquote>The only effective containment is Service Control Policies — because SCPs are enforced at the AWS Organizations level and member account identities cannot modify SCP attachments even with wildcard permissions.</blockquote><p>If your IR playbooks don't include SCP-based containment — and most don't, because it requires <strong>pre-staged deny-all policies</strong> and a well-structured OU hierarchy — you effectively have no containment capability against a moderately sophisticated attacker with IAM persistence.</p><hr><h3>CodeBuild Leaks Full-Org GitHub Tokens — AWS Won't Fix It</h3><p>Thomas Preece discovered that <strong>any unprivileged CodeBuild job</strong> using CodeConnections can call an undocumented API to retrieve raw GitHub App tokens or BitBucket JWT App tokens. These tokens carry the full permissions of the installed CodeConnection App — typically read, write, and admin access across <em>all repositories in your organization</em>.</p><p>The attack chain: compromise one build job (via a malicious dependency, poisoned build image, or any build-time tool) → extract the GitHub App token → gain admin access to every repo → inject backdoors into production code. <strong>AWS considers this by-design behavior</strong> because CodeBuild is a 'trusted environment.'</p><h3>GitHub Actions: Three Systematically Exploited Attack Classes</h3><p>Wiz published a threat model mapping three distinct classes, each with real casualties:</p><ol><li><strong>pull_request_target misconfigurations</strong> — exploited in the Trivy supply chain compromise</li><li><strong>Script injection via unsanitized context values</strong> (github.event.issue.title, github.head_ref) — root cause of the Ultralytics/YOLO XMRig cryptominer incident</li><li><strong>Compromised third-party actions via mutable tags</strong> — the tj-actions attack that hit 22,000 repos targeting Coinbase</li></ol><p>Additionally, the <strong>prt-scan campaign</strong> opened 500+ malicious PRs using AI-generated, language-aware payloads across six attack waves — targeting conftest.py, package.json, build.rs, and Makefile. The payloads work; the &lt;10% success rate is only because attackers don't always have the right trigger conditions. <em>This will improve.</em></p>

   Action items

   • Rewrite all AWS IR playbooks to use SCP-based containment as the primary isolation mechanism; test against 'notyet' techniques this week
   • Scope CodeBuild CodeConnection App permissions to minimum required repos and deploy monitoring for undocumented API calls retrieving SCM tokens
   • Grep all GitHub Actions workflows for pull_request_target triggers and replace all mutable tag pins (uses: action@v3) with full commit SHA pins
   • Pin Trivy version in CI, verify checksums against a second source, and run it in a sandboxed environment with no outbound network access

   Sources:Your AWS IR playbooks are broken: only SCPs survive IAM persistence attacks — and CodeBuild won't be fixed · Your GitHub Actions workflows are exploitable via 3 distinct attack classes — here's the Wiz threat model and exact fixes

3. 03

   AI-Generated Code Is Creating a Security Crisis — 10x More Vulnerabilities, 322% More Privilege Escalation Paths

   <h3>The Data Is In: AI Coding Assistants Multiply Security Debt</h3><p>Apiiro analyzed Fortune 50 repositories and found that AI coding assistants produce <strong>3-4x more commits</strong> but introduce <strong>10x more security findings per month</strong> — reaching 10,000+ new findings/month by June 2025. The <em>type</em> of defects is what makes this alarming:</p><ul><li><strong>Privilege escalation paths: up 322%</strong></li><li><strong>Architectural design flaws: up 153%</strong></li></ul><p>This makes sense mechanically. LLMs are excellent at syntactically correct local patterns but <strong>don't reason about system-wide invariants</strong> like authorization boundaries or data flow constraints. They'll happily generate a function that works perfectly but bypasses your authz middleware, or create an API endpoint that exposes internal data because it followed a pattern from a less-sensitive endpoint. Standard SAST tools tuned for injection and XSS catch some of this — but not the privilege escalation or architectural constraint violations.</p><blockquote>If your org adopted Copilot or Claude Code six months ago without adjusting your security gates, Apiiro's data suggests you've accumulated roughly 60,000 new security findings that your existing tooling likely missed.</blockquote><h3>The Credential Leak Vector Nobody's Covering</h3><p>A separate analysis reveals an <strong>81% surge in AI-service credential leaks</strong> in 2025. The attack surface is new: engineers paste environment files, database connection strings, and API keys into prompts. Agents interpolate credentials into tool calls. None of this touches your git hooks, your Gitleaks config, or your CI scanner. GitGuardian is shipping real-time scanning for Cursor and Copilot — the first product explicitly targeting this gap.</p><h3>AI As Offensive Weapon: The Gambit Report</h3><p>A single attacker used Claude Code to breach <strong>nine Mexican government organizations</strong> in weeks. Claude generated roughly <strong>75% of the remote code execution commands</strong>. The attacker instructed Claude to write a penetration testing cheat sheet into its <code>claude.md</code> file — effectively overwriting behavioral constraints with permissive instructions. Within 20 minutes of starting, Claude had found a vulnerability and achieved RCE on Mexico's national tax authority. A companion 17,550-line Python tool fed compromised server data to GPT-4.1, producing <strong>2,957 structured intelligence reports</strong> from 305 servers.</p><h4>The Contradiction Worth Noting</h4><p>Sources disagree on whether AI is net-positive or net-negative for security. The targets in the Gambit breach were <strong>end-of-life, unpatched systems</strong> — AI didn't find novel zero-days, it automated exploitation of known vulnerabilities at unprecedented speed. Meanwhile, Snap claims 65% AI-generated code at production scale while projecting $500M in savings. The truth is both: AI accelerates development <em>and</em> accelerates the creation of vulnerabilities — the question is whether your security tooling keeps pace.</p>

   Action items

   • Implement security scanning gates calibrated for AI-generated code patterns — specifically targeting privilege escalation paths and architectural design flaws, not just OWASP top-10
   • Map every AI tool (Cursor, Copilot, Claude Code) used in your org and verify secret scanning covers prompt-level and agent-action-level data flows
   • Harden any agentic AI tool configurations that provide persistent context + shell access — treat mutable context files as a privilege escalation vector
   • Measure your team's actual AI code generation metrics — percentage of merged PRs with AI-generated code + defect rates on AI-assisted vs. human-only paths

   Sources:Your AWS IR playbooks are broken: only SCPs survive IAM persistence attacks — and CodeBuild won't be fixed · Claude Code generated 75% of RCE commands in a real breach — your AI-assisted dev workflow shares the same attack surface · Your AI coding tools are leaking secrets 81% faster — and your security perimeter doesn't cover them yet · Snap says AI writes 65% of its code — here's what that means for your eng org's headcount model · Codex's Rust agent harness reveals production AI agent patterns you should be stealing now

4. 04

   NVD Is Becoming a Partial Dataset + Post-Quantum Timeline Just Compressed to 3 Years

   <h3>Your Vulnerability Scanner's Data Source Just Got Gutted</h3><p>NIST announced it is <strong>narrowing NVD enrichment</strong> to only three categories: CISA KEV-listed CVEs, federal-system-relevant CVEs, and EO 14028 critical software. Everything else gets a bare CVE record with <strong>no guaranteed CVSS score, CPE match, or CWE classification</strong>.</p><p>This isn't temporary triage. CVE submissions surged <strong>263% from 2020-2025</strong>, and a 2024 funding lapse turned a strained system into one that's openly prioritizing. The concrete engineering impact: your Trivy, Grype, or commercial scanner pulls NVD data to score vulnerabilities. When a CVE affecting a library in your dependency tree gets published but NIST never enriches it, your scanner either <strong>silently ignores it</strong> or surfaces it without severity context. Your patching SLA — 'critical within 72 hours, high within 2 weeks' — can't function if the severity score never arrives.</p><blockquote>The CVEs most likely to fall through this gap are the medium-severity, not-yet-exploited ones that sit in your dependency tree for months before someone chains them into an exploit. This is the long tail risk.</blockquote><h3>Build a Fan-In Vulnerability Intelligence Layer</h3><p>Stop treating NVD as your single source of truth:</p><ol><li><strong>CISA KEV</strong> — your 'stop everything and patch' signal (clean JSON feed, trivial to consume)</li><li><strong>OSV.dev</strong> — open-source ecosystem data with affected version ranges mapped to package managers (far more useful than CPE strings)</li><li><strong>GitHub Advisory Database</strong> — directly integrated with Dependabot</li><li><strong>Vendor security advisories</strong> — for critical commercial dependencies</li></ol><p>The trade-off is reconciliation complexity — conflicting severity assessments require a tiebreaker. Recommendation: KEV presence overrides everything, then use the most conservative score, and let asset context (internet-facing? handles auth?) do final prioritization.</p><hr><h3>Q-Day Moved to 2029 — Start Your Crypto-Agility Inventory</h3><p>Google research now puts <strong>ECC breakage at 1,200 logical qubits</strong> — significantly lower than previous estimates. Both Google and Cloudflare have moved their Q-day estimates to <strong>2029</strong>. Three years.</p><p>The reframing that matters: the industry has focused on encrypting data in transit, but the more urgent risk is <strong>authentication infrastructure</strong>. A compromised quantum-vulnerable signing key doesn't just decrypt traffic — it turns your software update pipeline into an RCE vector. It compromises your mTLS, your OIDC tokens, your artifact signatures. Large-scale cryptographic migrations historically take <em>longer than three years</em>, which means starting now is already late.</p>

   Action items

   • Audit your vulnerability management pipeline's dependency on NVD-enriched metadata — map which tools break when a CVE has no CVSS, CPE, or CWE
   • Integrate CISA KEV feed as an independently-weighted, primary signal in your patch prioritization logic
   • Begin a crypto-agility inventory: catalog all systems using elliptic curve cryptography, especially code signing, mTLS, OIDC, and software update verification
   • Evaluate OSV.dev and GitHub Advisory Database as supplementary vulnerability intelligence sources to cover the NVD enrichment gap

   Sources:Your vuln scanner's NVD data source just got gutted — NIST drops enrichment for non-critical CVEs · Your GitHub Actions workflows are exploitable via 3 distinct attack classes — here's the Wiz threat model and exact fixes