Impact
Axios does not normalise IPv4‑mapped IPv6 addresses before version 0.32.0 and 1.16.0. This flaw, identified as CWE‑289 and CWE‑918, occurs when an NO_PROXY environment variable lists an IPv4 address. Requests to URLs that use the IPv4‑mapped IPv6 form still route through the configured proxy. Because Node.js resolves these addresses to the underlying IPv4 host, the request reaches an internal service through the proxy instead of being blocked. This gives an attacker the ability to expose internal services that should be inaccessible, representing a security risk of internal service leakage and potential further compromise.
Affected Systems
The vulnerability affects the Axios library distributed by the axios:axios project. Versions earlier than 0.32.0 for the major 0 series and earlier than 1.16.0 for the major 1 series are impacted. Users of these older releases are at risk until they apply the available fix or migration.
Risk and Exploitability
The CVSS score of 8.6 signals a high‑severity flaw, and the EPSS score of <1% indicates a very low probability of exploitation. The flaw is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker could manipulate the NO_PROXY environment variable or send requests containing IPv4‑mapped IPv6 addresses. This would allow internal hosts to be accessed through an outbound proxy, potentially leaking internal traffic or enabling further lateral movement. The vulnerability does not require privileged local access and the inferred attack vector is remote, contingent on the ability to influence NO_PROXY or craft the requests.
OpenCVE Enrichment
Github GHSA