HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-44492Published Modified CNA GitHub_M

CVE-2026-44492: Axios: shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)

Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios does not normalise IPv4-mapped IPv6 addresses. When NO_PROXY lists an IPv4 address such as 127.0.0.1 or 169.254.169.254, a request URL using the IPv4-mapped IPv6 form (::ffff:7f00:1, ::ffff:a9fe:a9fe) still routes through the configured proxy. Node.js resolves these addresses to the underlying IPv4 host, so the request reaches the internal service via the proxy rather than being blocked. This vulnerability is fixed in 0.32.0 and 1.16.0.

Metrics

CVSS v3.1
8.6
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A proxy-bypass vulnerability exists in Axios, a widely used HTTP client for Node.js and browsers. An attacker who can influence request URLs can craft an IPv4-mapped IPv6 address (for example ::ffff:7f00:1 in place of 127.0.0.1) to route requests through a configured proxy even when the target IP is listed in NO_PROXY, because Axios does not normalize these address forms before checking the bypass list. Successful exploitation allows the attacker to read responses from internal services such as instance metadata endpoints, exposing sensitive configuration data and credentials. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as fix versions are published upstream.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built Node.js application images that bundle Axios as a dependency. Any image layer containing an affected Axios version (>=1.0.0,<1.16.0 or <0.32.0) is flagged automatically.

Available
Triage

HarborGuard scores this CVE at CVSS 8.6 HIGH and weights it against each customer environment's compliance policy to determine urgency and routing. Triage notifications are directed to the appropriate team inbox inside each customer organization based on image ownership and policy configuration.

Available
Patch

Because no fix versions have been published upstream for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Axios ships a remediated release. Customers with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a pull request opened against affected workloads without manual intervention as soon as the upstream fix is confirmed.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to send requests over the network to an Axios-backed service or influence its outbound HTTP requests remotely.

  • AuthenticationNot required

    No authentication is required; the bypass is triggered purely by the form of the request URL, with no credential needed.

  • Victim interactionNot required

    No victim interaction is needed; the malformed IPv4-mapped IPv6 address is processed automatically by the Axios request pipeline.

  • Attack complexityDetail

    Attack complexity is low; exploiting the bypass requires only constructing a well-known IPv4-mapped IPv6 address form and no special environmental conditions or race conditions.

Blast Radius

  • Reads responses from internal HTTP services (such as cloud instance metadata endpoints at 169.254.169.254) that are intended to be unreachable via proxy, exposing IAM credentials, instance identity tokens, and bootstrap secrets.
  • Reads data from loopback services at 127.0.0.1 that the NO_PROXY list was meant to protect, such as local admin APIs or sidecar services.
  • The scope impact is changed (S:C in CVSS), meaning the confidentiality breach extends beyond the vulnerable Axios process itself to any downstream system whose secrets are exposed through the metadata or internal service responses.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for this CVE at this time, HarborGuard continuously re-evaluates the advisory on each ingest cycle and will surface a patched-image rebuild automatically the moment Axios publishes a remediated version. In the interim, compensating controls available to customers include network-policy isolation that blocks outbound proxy traffic from workloads that do not require it, egress filtering rules that deny traffic destined for link-local (169.254.0.0/16) and loopback (127.0.0.0/8) ranges at the infrastructure layer regardless of proxy configuration, and feature-flag gating to disable proxy routing for services where NO_PROXY guarantees are security-critical. For customers with auto-remediation enabled, a rebuilt image, regression-test run, and pull request against affected workloads will be triggered automatically once an upstream fix is confirmed, with median time from CVE publication to merged patch PR for high-severity issues around 90 minutes in those environments.

See how HarborGuard automates this
Affected packages
  • axios / axios
    >= 1.0.0, < 1.16.0 · < 0.32.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
References