Description
Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’ Node.js HTTP adapter can leak proxy credentials to a redirect target in affected versions. When a request is sent through an authenticated proxy, Axios may add a Proxy-Authorization header. If Axios then follows a redirect and the redirected request is no longer sent through that proxy, the stale Proxy-Authorization header can remain on the redirected request and be sent to the redirect target. This affects Node.js's use of Axios with automatic redirects enabled and an authenticated proxy configuration. Browser adapters are not affected. This vulnerability is fixed in 0.32.0 and 1.16.0.
Published: 2026-06-11
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Axios is a promise‑based HTTP client for Node.js that, in versions before 0.32.0 and 1.16.0, can retain a Proxy‑Authorization header after following an HTTP redirect. When a request is sent through an authenticated proxy, Axios inserts the Proxy‑Authorization header; if that request is then redirected to a host that is not routed through the same proxy, the stale header may continue into the new request and be transmitted to the redirect target. The result is the disclosure of proxy credentials to a third‑party host, which is a confidentiality breach (CWE‑200) and an information exposure to a wrong reference (CWE‑201). The vulnerability is exploitable only in the context of Node.js usage with automatic redirects enabled and an authenticated proxy configuration, while browser adapters are unaffected.

Affected Systems

The vulnerability affects the Axios library for Node.js, specifically all releases earlier than 0.32.0 and 1.16.0 that enable automatic redirects with an authenticated proxy configuration. The browser adapters of Axios are not impacted. Users of Node.js applications that make HTTP requests through Axios with a proxy and allow redirects are at risk.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity. The EPSS score of 0.00031 (less than 1%) indicates a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog, indicating no confirmed public exploitation. The likely attack vector is legitimate use of Axios with an authenticated proxy and automatic redirects; any system following this pattern may inadvertently send proxy credentials to an unintended host, resulting in unauthorized disclosure of those credentials.

Generated by OpenCVE AI on June 13, 2026 at 01:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Axios to version 0.32.0 or later (or 1.16.0 or later)
  • If an upgrade cannot be performed immediately, configure Axios to disable automatic redirects
  • Ensure the Proxy‑Authorization header is removed or cleared from requests before a redirect is processed

Generated by OpenCVE AI on June 13, 2026 at 01:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j5f8-grm9-p9fc Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection
History

Sat, 13 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 13 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-201
References
Metrics threat_severity

None

threat_severity

Important


Fri, 12 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:axios:axios:*:*:*:*:*:node.js:*:*

Thu, 11 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Axios
Axios axios
Vendors & Products Axios
Axios axios

Thu, 11 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’ Node.js HTTP adapter can leak proxy credentials to a redirect target in affected versions. When a request is sent through an authenticated proxy, Axios may add a Proxy-Authorization header. If Axios then follows a redirect and the redirected request is no longer sent through that proxy, the stale Proxy-Authorization header can remain on the redirected request and be sent to the redirect target. This affects Node.js's use of Axios with automatic redirects enabled and an authenticated proxy configuration. Browser adapters are not affected. This vulnerability is fixed in 0.32.0 and 1.16.0.
Title Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-01T12:04:34.249Z

Reserved: 2026-05-06T17:18:51.783Z

Link: CVE-2026-44486

cve-icon Vulnrichment

Updated: 2026-06-30T03:15:52.020Z

cve-icon NVD

Status : Modified

Published: 2026-06-11T17:16:32.450

Modified: 2026-06-13T03:16:20.647

Link: CVE-2026-44486

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-11T15:39:07Z

Links: CVE-2026-44486 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-13T02:00:08Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-201

    Insertion of Sensitive Information Into Sent Data