Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Primary rating from Vendor (https://github.com/axios/axios).
CVSS VectorVendor: https://github.com/axios/axios
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 3,108 npm packages depend on axios (814 direct, 2,321 indirect)
Ecosystem-wide dependent count for version 1.15.0.
DescriptionCVE.org
Summary
shouldBypassProxy, introduced in v1.15.0 to fix CVE-2025-62718, does not normalise IPv4-mapped IPv6 addresses. When NO_PROXY lists an IPv4 address such as 127.0.0.1 or 169.254.169.254, a request URL using the IPv4-mapped IPv6 form (::ffff:7f00:1, ::ffff:a9fe:a9fe) still routes through the configured proxy. Node.js resolves these addresses to the underlying IPv4 host, so the request reaches the internal service via the proxy rather than being blocked.
Details
lib/helpers/shouldBypassProxy.js (v1.15.0):
const LOOPBACK_ADDRESSES = new Set(['localhost', '127.0.0.1', '::1']);
const isLoopback = (host) => LOOPBACK_ADDRESSES.has(host);
// normalizeNoProxyHost strips brackets and trailing dots, but not ::ffff: prefix
return hostname === entryHost || (isLoopback(hostname) && isLoopback(entryHost));The WHATWG URL parser canonicalises http://[::ffff:127.0.0.1]/ to hostname [::ffff:7f00:1]. After bracket-stripping: ::ffff:7f00:1. This string does not match 127.0.0.1 in NO_PROXY and is not in LOOPBACK_ADDRESSES, so shouldBypassProxy returns false and the proxy is used. proxy-from-env (called before shouldBypassProxy) has the same gap - it does not equate ::ffff:7f00:1 with 127.0.0.1 - so neither layer catches the bypass.
PoC
// NO_PROXY=127.0.0.1,localhost,::1 HTTP_PROXY=http://attacker:8080
import shouldBypassProxy from 'axios/lib/helpers/shouldBypassProxy.js';
// All three should return true (bypass proxy). Only the first two do.
console.log(shouldBypassProxy('http://127.0.0.1/')); // true [OK]
console.log(shouldBypassProxy('http://[::1]/')); // true [OK]
console.log(shouldBypassProxy('http://[::ffff:127.0.0.1]/')); // false <- bypass
console.log(shouldBypassProxy('http://[::ffff:7f00:1]/')); // false <- bypass
Node.js routes ::ffff:7f00:1 to 127.0.0.1:
// net.connect({ host: '::ffff:7f00:1', port: 80 }) reaches a service
// bound to 127.0.0.1:80 - confirmed on Node.js v24, Linux and macOS.Cloud metadata SSRF: ::ffff:a9fe:a9fe = ::ffff:169.254.169.254. If NO_PROXY=169.254.169.254 is set to block IMDS access, a request to http://[::ffff:a9fe:a9fe]/latest/meta-data/ bypasses it.
Fix
Canonicalise IPv4-mapped IPv6 in normalizeNoProxyHost before any comparison:
const ipv4MappedDotted = /^::ffff:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$/i;
const ipv4MappedHex = /^::ffff:([0-9a-f]{1,4}):([0-9a-f]{1,4})$/i;
function hexToIPv4(a, b) {
const hi = parseInt(a, 16), lo = parseInt(b, 16);
return `${hi >> 8}.${hi & 0xff}.${lo >> 8}.${lo & 0xff}`;
}
const normalizeNoProxyHost = (hostname) => {
if (!hostname) return hostname;
if (hostname[0] === '[' && hostname.at(-1) === ']')
hostname = hostname.slice(1, -1);
hostname = hostname.replace(/\.+$/, '').toLowerCase();
let m;
if ((m = hostname.match(ipv4MappedDotted))) return m[1];
if ((m = hostname.match(ipv4MappedHex))) return hexToIPv4(m[1], m[2]);
return hostname;
};
Impact
Any application that sets NO_PROXY to exclude internal or metadata endpoints and uses an HTTP/HTTPS proxy can have those exclusions bypassed by a URL using IPv4-mapped IPv6 notation. The attacker must control the request URL. In cloud environments with instance metadata services, this can lead to credential exfiltration.
AnalysisAI
Server-Side Request Forgery in axios versions <1.16.0 and <=0.31.1 allows remote attackers who control a request URL to bypass NO_PROXY allowlists by using IPv4-mapped IPv6 notation (e.g., ::ffff:7f00:1 for 127.0.0.1, or ::ffff:a9fe:a9fe for the 169.254.169.254 cloud metadata endpoint). The flaw is an incomplete fix for CVE-2025-62718: shouldBypassProxy normalizes brackets and trailing dots but never canonicalises the ::ffff: prefix, so loopback and metadata exclusions silently fail and traffic is routed through an attacker-controlled HTTP/HTTPS proxy. Publicly available exploit code exists (full PoC in the GHSA advisory); no public exploit identified at time of analysis as actively exploited and the CVE is not in CISA KEV.
Technical ContextAI
axios is one of the most widely deployed HTTP client libraries in the Node.js ecosystem (pkg:npm/axios). Proxy selection in Node.js is governed by the HTTP_PROXY/HTTPS_PROXY and NO_PROXY environment variables; axios layers its own shouldBypassProxy on top of proxy-from-env to decide whether to send a request directly or through a proxy. The root cause maps to CWE-918 (Server-Side Request Forgery): both layers perform a string-equality check between hostname and NO_PROXY entries, but the WHATWG URL parser canonicalises hostnames like [::ffff:127.0.0.1] to [::ffff:7f00:1], producing a string that does not equal 127.0.0.1. Node's net stack, however, transparently resolves IPv4-mapped IPv6 destinations back to the underlying IPv4 socket, so the proxy ultimately delivers traffic to the very internal address NO_PROXY was meant to exclude. This is a classic input-canonicalisation gap where the security check operates on a different representation than the eventual network operation.
RemediationAI
Vendor-released patch: upgrade axios to 1.16.0 (1.x line) or 0.32.0 (0.x line) per GHSA-pjwm-pj3p-43mv at https://github.com/axios/axios/security/advisories/GHSA-pjwm-pj3p-43mv; the fix canonicalises ::ffff: IPv4-mapped IPv6 hostnames in normalizeNoProxyHost before comparison. If immediate upgrade is not possible, compensating controls include: enforce IMDSv2 on AWS (requires a session token, blocking the SSRF-to-metadata path even if the proxy bypass succeeds, with the side effect that any legacy SDK/tool relying on IMDSv1 must be updated); block outbound traffic to 169.254.169.254 and other sensitive internal ranges at the egress proxy itself rather than relying on client-side NO_PROXY (side effect: legitimate metadata calls must use an allowlisted path); validate or normalise user-controlled URLs before passing them to axios by rejecting bracketed IPv6 hosts or resolving and re-checking the destination IP against a denylist (side effect: breaks legitimate IPv6 use cases); or pin egress-proxy ACLs so the proxy refuses to forward to RFC1918, link-local, and loopback ranges regardless of what the client requests.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36255
GHSA-pjwm-pj3p-43mv