Axios is a promise‑based HTTP client for Node.js that, in versions before 0.32.0 and 1.16.0, can retain a Proxy‑Authorization header after following an HTTP redirect. When a request is sent through an authenticated proxy, Axios inserts the Proxy‑Authorization header; if that request is then redirected to a host that is not routed through the same proxy, the stale header may continue into the new request and be transmitted to the redirect target. The result is the disclosure of proxy credentials to a third‑party host, which is a confidentiality breach (CWE‑200). The vulnerability is exploitable only in the context of Node.js usage with automatic redirects enabled and an authenticated proxy configuration, while browser adapters are unaffected.

The vulnerability affects the Axios library for Node.js, specifically all releases earlier than 0.32.0 and 1.16.0 that enable automatic redirects with an authenticated proxy configuration. The browser adapters of Axios are not impacted. Users of Node.js applications that make HTTP requests through Axios with a proxy and allow redirects are at risk.

The CVSS score of 7.5 indicates high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating that no confirmed public exploitation has been reported. The likely attack vector is legitimate use of Axios with an authenticated proxy and automatic redirects; any system following this pattern may inadvertently send proxy credentials to an unintended host, resulting in unauthorized disclosure of those credentials.