What is the CVSS score of CVE-2026-42043?

CVE-2026-42043 has a CVSS 3.1 base score of 7.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of Axios are affected by CVE-2026-42043?

Axios HTTP client library versions prior to 1.15.1 and 0.31.1 contain a request smuggling vulnerability that allows attackers controlling target URLs to bypass NO_PROXY protections and access…. A patch is available.

Is there a public PoC exploit available for CVE-2026-42043?

Yes, a public proof-of-concept exploit is available for CVE-2026-42043. Prioritise patching immediately. EPSS: 0.0%.

Axios CVE-2026-42043

EUVD-2026-25608 HIGH

Permissive List of Allowed Inputs (CWE-183)

2026-04-24 GitHub_M

GHSA-pmwg-cvhr-8vh7

Authentication Bypass Node.js Red Hat

7.2

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Patch released

Apr 27, 2026 - 20:05 nvd

Patch available

Re-analysis Queued

Apr 27, 2026 - 14:22 vuln.today

cvss_changed

Patch available

Apr 24, 2026 - 20:17 EUVD

Analysis Generated

Apr 24, 2026 - 18:45 vuln.today

EUVD ID Assigned

Apr 24, 2026 - 18:15 euvd

EUVD-2026-25608

Analysis Generated

Apr 24, 2026 - 18:15 vuln.today

CVE Published

Apr 24, 2026 - 17:54 nvd

HIGH 7.2

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

273 npm packages depend on axios (189 direct, 84 indirect)

Ecosystem-wide dependent count for version 1.0.0.

DescriptionNVD

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range (other than 127.0.0.1) to completely bypass the NO_PROXY protection. This vulnerability is due to an incomplete for CVE-2025-62718, This vulnerability is fixed in 1.15.1 and 0.31.1.

AnalysisAI

HTTP request smuggling in Axios HTTP client library allows remote attackers to bypass NO_PROXY protection and route requests through 127.0.0.0/8 addresses other than 127.0.0.1. Attackers who control target URLs in applications using Axios prior to versions 1.15.1 and 0.31.1 can bypass proxy restrictions and potentially access internal resources with changed scope (CVSS S:C). …

RemediationAI

Within 24 hours: Inventory all applications and services using Axios; identify versions in use via dependency scanning tools (npm list axios, pip show requests, equivalent for other package managers). Within 7 days: Upgrade Axios to version 1.15.1 (for v1.x) or 0.31.1 (for v0.x) in all development and staging environments; conduct regression testing of proxy-dependent functionality. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory