Axios does not normalise IPv4‑mapped IPv6 addresses before version 0.32.0 and 1.16.0. When an NO_PROXY environment variable lists an IPv4 address, requests to URLs that use the IPv4‑mapped IPv6 form still route through the configured proxy. Because Node.js resolves these addresses to the underlying IPv4 host, the request reaches an internal service through the proxy instead of being blocked. This flaw provides an attacker the ability to expose internal services that should be inaccessible, representing a security risk of internal service leakage and potential further compromise.

The vulnerability affects the Axios library distributed by the axios:axios project. Versions earlier than 0.32.0 for the major 0 series and earlier than 1.16.0 for the major 1 series are impacted. Users of these older releases are at risk until they apply the available fix or migration.

The CVSS score of 8.6 signals a high‑severity flaw, and the lack of an EPSS score indicates that exploitation data is not currently available. The flaw is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker could manipulate the NO_PROXY environment variable or send requests containing IPv4‑mapped IPv6 addresses. This would allow internal hosts to be accessed through an outbound proxy, potentially leaking internal traffic or enabling further lateral movement. The vulnerability does not require privileged local access and the inferred attack vector is remote, contingent on the ability to influence NO_PROXY or craft the requests.