Axios HTTP client CVE-2026-42038

| EUVD-2026-25604 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-24 GitHub_M
SSRF Node.js Axios
6.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Apr 24, 2026 - 20:17 EUVD
Analysis Generated
Apr 24, 2026 - 18:45 vuln.today

DescriptionNVD

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, he fix for no_proxy hostname normalization bypass is incomplete. When no_proxy=localhost is set, requests to 127.0.0.1 and [::1] still route through the proxy instead of bypassing it. The shouldBypassProxy() function does pure string matching - it does not resolve IP aliases or loopback equivalents. This vulnerability is fixed in 1.15.1 and 0.31.1.

AnalysisAI

Axios versions prior to 1.15.1 and 0.31.1 fail to properly bypass proxy configurations when no_proxy=localhost is set, allowing attackers to route requests to loopback addresses (127.0.0.1 and [::1]) through proxy servers instead of bypassing them. This Server-Side Request Forgery (SSRF) vulnerability arises because the shouldBypassProxy() function performs only string matching without resolving IP aliases or loopback equivalents, potentially exposing internal services to proxy interception or manipulation with a CVSS score of 6.8 (high confidentiality impact over changed scope).

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-42038 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy