Gadget chains: How low-severity bugs combine across dependencies to become critical

A recently published CVE highlighted a vulnerability in Axios, a JavaScript HTTP client, which, when combined with a separate prototype pollution bug, could potentially lead to AWS credential theft. This issue exemplifies a "gadget chain," where low-severity flaws in different libraries combine to create a severe security risk. In the Node.js ecosystem, where deep dependency trees and dynamic object handling are prevalent, such chains are particularly common and difficult to detect because conventional tools evaluate vulnerabilities in isolation. The described attack chain was ultimately blocked by Node.js's built-in validation against CRLF characters in headers, but the case underscores the importance of understanding how dependencies interact and the potential for low-severity bugs to escalate when new libraries are added. The Axios fix in version 1.15.0 addressed the issue by implementing additional input validation, serving as a reminder that libraries should independently validate inputs to prevent unexpected security risks.