CVE-2026-44492
HIGHAxios < 0.32.0 and 1.0.0-1.15.x - NO_PROXY Bypass via IPv4-Mapped IPv6
Title source: manualDescription
Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios does not normalise IPv4-mapped IPv6 addresses. When NO_PROXY lists an IPv4 address such as 127.0.0.1 or 169.254.169.254, a request URL using the IPv4-mapped IPv6 form (::ffff:7f00:1, ::ffff:a9fe:a9fe) still routes through the configured proxy. Node.js resolves these addresses to the underlying IPv4 host, so the request reaches the internal service via the proxy rather than being blocked. This vulnerability is fixed in 0.32.0 and 1.16.0.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/axios/axios/security/advisories/GHSA-pjwm-pj3p-43mv
Scores
CVSS v3
8.6
EPSS
0.0044
EPSS Percentile
35.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-918
Status
published
Products (2)
axios/axios
< 0.32.0 (2 CPE variants)
axios/axios
>= 1.0.0, < 1.16.0
Published
Jun 11, 2026
Tracked Since
Jun 11, 2026