CVE-2026-44487

HIGH

Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter

Title source: cna

Description

Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’s Node.js HTTP adapter may forward a Proxy-Authorization header to a redirected origin during specific proxy-to-direct redirect flows. This affects Node.js usage, where an initial HTTP request is sent through an authenticated HTTP proxy, redirects are followed, and the redirected URL is no longer proxied. Under affected redirect shapes, the final origin can receive the proxy credential that was intended only for the outbound proxy. This vulnerability is fixed in 0.32.0 and 1.16.0.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/axios/axios/security/advisories/GHSA-p92q-9vqr-4j8v

Scores

CVSS v3 7.5

EPSS 0.0043

EPSS Percentile 34.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-201

Status published

Products (4)

axios/axios < 0.32.0 (2 CPE variants)

axios/axios >= 1.0.0, < 1.16.0

npm/axios 0 - 0.32.0npm

npm/axios 1.0.0 - 1.16.0npm

Published Jun 11, 2026

Tracked Since Jun 11, 2026