Description
Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios does not normalise IPv4-mapped IPv6 addresses. When NO_PROXY lists an IPv4 address such as 127.0.0.1 or 169.254.169.254, a request URL using the IPv4-mapped IPv6 form (::ffff:7f00:1, ::ffff:a9fe:a9fe) still routes through the configured proxy. Node.js resolves these addresses to the underlying IPv4 host, so the request reaches the internal service via the proxy rather than being blocked. This vulnerability is fixed in 0.32.0 and 1.16.0.
Published: 2026-06-11
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Axios does not normalise IPv4‑mapped IPv6 addresses before version 0.32.0 and 1.16.0. This flaw, identified as CWE‑289 and CWE‑918, occurs when an NO_PROXY environment variable lists an IPv4 address. Requests to URLs that use the IPv4‑mapped IPv6 form still route through the configured proxy. Because Node.js resolves these addresses to the underlying IPv4 host, the request reaches an internal service through the proxy instead of being blocked. This gives an attacker the ability to expose internal services that should be inaccessible, representing a security risk of internal service leakage and potential further compromise.

Affected Systems

The vulnerability affects the Axios library distributed by the axios:axios project. Versions earlier than 0.32.0 for the major 0 series and earlier than 1.16.0 for the major 1 series are impacted. Users of these older releases are at risk until they apply the available fix or migration.

Risk and Exploitability

The CVSS score of 8.6 signals a high‑severity flaw, and the EPSS score of <1% indicates a very low probability of exploitation. The flaw is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker could manipulate the NO_PROXY environment variable or send requests containing IPv4‑mapped IPv6 addresses. This would allow internal hosts to be accessed through an outbound proxy, potentially leaking internal traffic or enabling further lateral movement. The vulnerability does not require privileged local access and the inferred attack vector is remote, contingent on the ability to influence NO_PROXY or craft the requests.

Generated by OpenCVE AI on June 13, 2026 at 02:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Axios to version 0.32.0 or later, or 1.16.0 or later, to ensure IPv4‑mapped IPv6 addresses are normalised and bypassed as intended.
  • If an upgrade is not immediately possible, avoid listing IPv4 addresses in the NO_PROXY environment variable for requests that may use IPv4‑mapped IPv6 literals, or restrict NO_PROXY to IPv6 addresses only.
  • Review application and infrastructure configurations to confirm that internal services are not being routed through external proxies and adjust proxy settings accordingly.

Generated by OpenCVE AI on June 13, 2026 at 02:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pjwm-pj3p-43mv axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)
History

Sat, 13 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 13 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-289
References
Metrics threat_severity

None

threat_severity

Important


Fri, 12 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:axios:axios:*:*:*:*:*:node.js:*:*

Thu, 11 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Axios
Axios axios
Vendors & Products Axios
Axios axios

Thu, 11 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios does not normalise IPv4-mapped IPv6 addresses. When NO_PROXY lists an IPv4 address such as 127.0.0.1 or 169.254.169.254, a request URL using the IPv4-mapped IPv6 form (::ffff:7f00:1, ::ffff:a9fe:a9fe) still routes through the configured proxy. Node.js resolves these addresses to the underlying IPv4 host, so the request reaches the internal service via the proxy rather than being blocked. This vulnerability is fixed in 0.32.0 and 1.16.0.
Title Axios: shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-01T12:04:33.040Z

Reserved: 2026-05-06T17:18:51.783Z

Link: CVE-2026-44492

cve-icon Vulnrichment

Updated: 2026-06-30T03:15:51.142Z

cve-icon NVD

Status : Modified

Published: 2026-06-11T17:16:33.167

Modified: 2026-06-13T03:16:20.770

Link: CVE-2026-44492

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-11T15:29:13Z

Links: CVE-2026-44492 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-13T02:30:06Z

Weaknesses
  • CWE-289

    Authentication Bypass by Alternate Name

  • CWE-918

    Server-Side Request Forgery (SSRF)