Skip to main content

axios CVE-2026-44492

| EUVDEUVD-2026-36255 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-29 https://github.com/axios/axios GHSA-pjwm-pj3p-43mv
8.6
CVSS 3.1 · Vendor: https://github.com/axios/axios
Share

Severity by source

Vendor (https://github.com/axios/axios) PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Red Hat
8.6 HIGH
qualitative

Primary rating from Vendor (https://github.com/axios/axios).

CVSS VectorVendor: https://github.com/axios/axios

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 29, 2026 - 16:22 vuln.today
Analysis Generated
May 29, 2026 - 16:22 vuln.today
CVE Published
May 29, 2026 - 15:59 nvd
HIGH 8.6

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 3,108 npm packages depend on axios (814 direct, 2,321 indirect)

Ecosystem-wide dependent count for version 1.15.0.

DescriptionCVE.org

Summary

shouldBypassProxy, introduced in v1.15.0 to fix CVE-2025-62718, does not normalise IPv4-mapped IPv6 addresses. When NO_PROXY lists an IPv4 address such as 127.0.0.1 or 169.254.169.254, a request URL using the IPv4-mapped IPv6 form (::ffff:7f00:1, ::ffff:a9fe:a9fe) still routes through the configured proxy. Node.js resolves these addresses to the underlying IPv4 host, so the request reaches the internal service via the proxy rather than being blocked.

Details

lib/helpers/shouldBypassProxy.js (v1.15.0):

javascript
  const LOOPBACK_ADDRESSES = new Set(['localhost', '127.0.0.1', '::1']);
  const isLoopback = (host) => LOOPBACK_ADDRESSES.has(host);

  // normalizeNoProxyHost strips brackets and trailing dots, but not ::ffff: prefix
  return hostname === entryHost || (isLoopback(hostname) && isLoopback(entryHost));

The WHATWG URL parser canonicalises http://[::ffff:127.0.0.1]/ to hostname [::ffff:7f00:1]. After bracket-stripping: ::ffff:7f00:1. This string does not match 127.0.0.1 in NO_PROXY and is not in LOOPBACK_ADDRESSES, so shouldBypassProxy returns false and the proxy is used. proxy-from-env (called before shouldBypassProxy) has the same gap - it does not equate ::ffff:7f00:1 with 127.0.0.1 - so neither layer catches the bypass.

PoC

javascript

// NO_PROXY=127.0.0.1,localhost,::1  HTTP_PROXY=http://attacker:8080
import shouldBypassProxy from 'axios/lib/helpers/shouldBypassProxy.js';

// All three should return true (bypass proxy). Only the first two do.
console.log(shouldBypassProxy('http://127.0.0.1/'));          // true  [OK]
console.log(shouldBypassProxy('http://[::1]/'));               // true  [OK]
console.log(shouldBypassProxy('http://[::ffff:127.0.0.1]/')); // false <- bypass
console.log(shouldBypassProxy('http://[::ffff:7f00:1]/'));     // false <- bypass

Node.js routes ::ffff:7f00:1 to 127.0.0.1:

// net.connect({ host: '::ffff:7f00:1', port: 80 }) reaches a service
// bound to 127.0.0.1:80 - confirmed on Node.js v24, Linux and macOS.

Cloud metadata SSRF: ::ffff:a9fe:a9fe = ::ffff:169.254.169.254. If NO_PROXY=169.254.169.254 is set to block IMDS access, a request to http://[::ffff:a9fe:a9fe]/latest/meta-data/ bypasses it.

Fix

Canonicalise IPv4-mapped IPv6 in normalizeNoProxyHost before any comparison:

javascript
const ipv4MappedDotted = /^::ffff:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$/i;
const ipv4MappedHex    = /^::ffff:([0-9a-f]{1,4}):([0-9a-f]{1,4})$/i;

function hexToIPv4(a, b) {
  const hi = parseInt(a, 16), lo = parseInt(b, 16);
  return `${hi >> 8}.${hi & 0xff}.${lo >> 8}.${lo & 0xff}`;
}

const normalizeNoProxyHost = (hostname) => {
  if (!hostname) return hostname;
  if (hostname[0] === '[' && hostname.at(-1) === ']')
    hostname = hostname.slice(1, -1);
  hostname = hostname.replace(/\.+$/, '').toLowerCase();

  let m;
  if ((m = hostname.match(ipv4MappedDotted))) return m[1];
  if ((m = hostname.match(ipv4MappedHex)))    return hexToIPv4(m[1], m[2]);
  return hostname;
};

Impact

Any application that sets NO_PROXY to exclude internal or metadata endpoints and uses an HTTP/HTTPS proxy can have those exclusions bypassed by a URL using IPv4-mapped IPv6 notation. The attacker must control the request URL. In cloud environments with instance metadata services, this can lead to credential exfiltration.

AnalysisAI

Server-Side Request Forgery in axios versions <1.16.0 and <=0.31.1 allows remote attackers who control a request URL to bypass NO_PROXY allowlists by using IPv4-mapped IPv6 notation (e.g., ::ffff:7f00:1 for 127.0.0.1, or ::ffff:a9fe:a9fe for the 169.254.169.254 cloud metadata endpoint). The flaw is an incomplete fix for CVE-2025-62718: shouldBypassProxy normalizes brackets and trailing dots but never canonicalises the ::ffff: prefix, so loopback and metadata exclusions silently fail and traffic is routed through an attacker-controlled HTTP/HTTPS proxy. Publicly available exploit code exists (full PoC in the GHSA advisory); no public exploit identified at time of analysis as actively exploited and the CVE is not in CISA KEV.

Technical ContextAI

axios is one of the most widely deployed HTTP client libraries in the Node.js ecosystem (pkg:npm/axios). Proxy selection in Node.js is governed by the HTTP_PROXY/HTTPS_PROXY and NO_PROXY environment variables; axios layers its own shouldBypassProxy on top of proxy-from-env to decide whether to send a request directly or through a proxy. The root cause maps to CWE-918 (Server-Side Request Forgery): both layers perform a string-equality check between hostname and NO_PROXY entries, but the WHATWG URL parser canonicalises hostnames like [::ffff:127.0.0.1] to [::ffff:7f00:1], producing a string that does not equal 127.0.0.1. Node's net stack, however, transparently resolves IPv4-mapped IPv6 destinations back to the underlying IPv4 socket, so the proxy ultimately delivers traffic to the very internal address NO_PROXY was meant to exclude. This is a classic input-canonicalisation gap where the security check operates on a different representation than the eventual network operation.

RemediationAI

Vendor-released patch: upgrade axios to 1.16.0 (1.x line) or 0.32.0 (0.x line) per GHSA-pjwm-pj3p-43mv at https://github.com/axios/axios/security/advisories/GHSA-pjwm-pj3p-43mv; the fix canonicalises ::ffff: IPv4-mapped IPv6 hostnames in normalizeNoProxyHost before comparison. If immediate upgrade is not possible, compensating controls include: enforce IMDSv2 on AWS (requires a session token, blocking the SSRF-to-metadata path even if the proxy bypass succeeds, with the side effect that any legacy SDK/tool relying on IMDSv1 must be updated); block outbound traffic to 169.254.169.254 and other sensitive internal ranges at the egress proxy itself rather than relying on client-side NO_PROXY (side effect: legitimate metadata calls must use an allowlisted path); validate or normalise user-controlled URLs before passing them to axios by rejecting bracketed IPv6 hosts or resolving and re-checking the destination IP against a denylist (side effect: breaks legitimate IPv6 use cases); or pin egress-proxy ACLs so the proxy refuses to forward to RFC1918, link-local, and loopback ranges regardless of what the client requests.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Vendor StatusVendor

Share

CVE-2026-44492 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy