Description
Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’s Node.js HTTP adapter may forward a Proxy-Authorization header to a redirected origin during specific proxy-to-direct redirect flows. This affects Node.js usage, where an initial HTTP request is sent through an authenticated HTTP proxy, redirects are followed, and the redirected URL is no longer proxied. Under affected redirect shapes, the final origin can receive the proxy credential that was intended only for the outbound proxy. This vulnerability is fixed in 0.32.0 and 1.16.0.
Published: 2026-06-11
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Axios’s Node.js HTTP adapter can incorrectly forward a Proxy-Authorization header to a final destination when a request is redirected from an authenticated proxy to a non-proxied URL. The leaked credential, intended solely for the outbound proxy, is sent to the origin server, exposing sensitive authentication information and potentially permitting unauthorized access or credential compromise. The weakness is a credential mishandling flaw (CWE‑201) that leads to credential disclosure.

Affected Systems

Vulnerable Axios versions are 0.x before 0.32.0 and 1.x before 1.16.0 when used in Node.js. Any application that sends HTTP requests through an authenticated proxy and follows redirects that exit the proxy is susceptible.

Risk and Exploitability

With a CVSS score of 8.2 the vulnerability is high severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, indicating that exploitation has not yet been observed. The likely attack vector is inferred from the description: an attacker who can influence the redirect (for example, by controlling the target URL or acting as the proxy) can cause the proxy credentials to be sent to a third‑party site. Because the flaw relies on redirect behavior and the presence of an authenticated proxy chain, the attack requires network access to the affected application and knowledge of its redirect handling. The risk remains significant for deployments that rely on authenticated HTTP proxies and do not suppress or strip proxy headers during redirects.

Generated by OpenCVE AI on June 11, 2026 at 21:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Axios to 0.32.0 or later, or to 1.16.0 or later.
  • Configure Axios to disable automatic redirects or explicitly strip Proxy-Authorization headers on redirect responses.
  • Validate that outgoing requests from the application do not include Proxy-Authorization headers for non‑proxied destinations.

Generated by OpenCVE AI on June 11, 2026 at 21:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-p92q-9vqr-4j8v Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter
History

Thu, 11 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Axios
Axios axios
Vendors & Products Axios
Axios axios

Thu, 11 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 11 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’s Node.js HTTP adapter may forward a Proxy-Authorization header to a redirected origin during specific proxy-to-direct redirect flows. This affects Node.js usage, where an initial HTTP request is sent through an authenticated HTTP proxy, redirects are followed, and the redirected URL is no longer proxied. Under affected redirect shapes, the final origin can receive the proxy credential that was intended only for the outbound proxy. This vulnerability is fixed in 0.32.0 and 1.16.0.
Title Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter
Weaknesses CWE-201
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Axios Axios
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-11T18:17:31.939Z

Reserved: 2026-05-06T17:18:51.783Z

Link: CVE-2026-44487

cve-icon Vulnrichment

Updated: 2026-06-11T18:16:47.230Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-11T17:16:32.607

Modified: 2026-06-11T20:56:29.653

Link: CVE-2026-44487

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T21:15:07Z

Weaknesses
  • CWE-201

    Insertion of Sensitive Information Into Sent Data