Description
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range (other than 127.0.0.1) to completely bypass the NO_PROXY protection. This vulnerability is due to an incomplete for CVE-2025-62718, This vulnerability is fixed in 1.15.1 and 0.31.1.
Published: 2026-04-24
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized internal network access via NO_PROXY bypass
Action: Patch immediately
AI Analysis

Impact

An attacker who can influence the target URL in an Axios request can specify any address within 127.0.0.0/8 except 127.0.0.1 to fully bypass the NO_PROXY setting. This allows a request that would normally be routed through a configured proxy to instead reach an internal or loopback address, potentially exposing internal services or data. The flaw is rooted in an incomplete fix for a prior issue and is classified as a high‑severity bypass.*

Affected Systems

The vulnerability affects all Axios clients on the 1.15.0 release line and earlier, as well as the 0.31.0 release line and earlier. Any application running Node.js that includes those versions of Axios and sends HTTP requests with user‑controlled URLs is susceptible. Updating to 1.15.1 or 0.31.1 (or later) removes the flaw.

Risk and Exploitability

The CVSS score of 7.2 indicates high severity, while the EPSS score of less than 1% suggests a very low probability of exploitation as of this assessment. The vulnerability is not listed in CISA’s KEV catalog. If an application or service can inject URLs into Axios, an attacker could redirect connections to internal addresses, bypassing proxy restrictions and potentially exposing sensitive resources. Because the attack requires control of the request URL, environments that expose this ability to untrusted input pose the greatest risk.*

Generated by OpenCVE AI on April 28, 2026 at 05:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Axios to version 1.15.1 or 0.31.1 (or any newer release).
  • Ensure that any user‑controlled or untrusted URLs passed to Axios are validated against a whitelist of allowed hostnames or IP ranges.*
  • If an upgrade is not feasible immediately, configure Axios to reject any request targeting addresses in the 127.0.0.0/8 subnet, except 127.0.0.1, by adding custom logic or a proxy configuration that disallows internal loopback targets.

Generated by OpenCVE AI on April 28, 2026 at 05:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pmwg-cvhr-8vh7 Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0
History

Wed, 06 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Axios
Axios axios
CPEs cpe:2.3:a:axios:axios:*:*:*:*:*:node.js:*:*
Vendors & Products Axios
Axios axios

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Description Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range (other than 127.0.0.1) to completely bypass the NO_PROXY protection. This vulnerability is due to an incomplete for CVE-2025-62718, This vulnerability is fixed in 1.15.1 and 0.31.1.
Title Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0
Weaknesses CWE-183
CWE-441
CWE-918
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Axios Axios
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-27T13:47:24.724Z

Reserved: 2026-04-23T16:05:01.709Z

Link: CVE-2026-42043

cve-icon Vulnrichment

Updated: 2026-04-27T13:47:15.041Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T18:16:31.457

Modified: 2026-04-27T20:05:04.370

Link: CVE-2026-42043

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-24T17:54:42Z

Links: CVE-2026-42043 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T06:00:09Z

Weaknesses