CVE-2026-42038
Axios: no_proxy bypass via IP alias allows SSRF
CVSS Score
6.8
EPSS Score
0.0%
EPSS Percentile
0th
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, he fix for no_proxy hostname normalization bypass is incomplete. When no_proxy=localhost is set, requests to 127.0.0.1 and [::1] still route through the proxy instead of bypassing it. The shouldBypassProxy() function does pure string matching โ it does not resolve IP aliases or loopback equivalents. This vulnerability is fixed in 1.15.1 and 0.31.1.
| CWE | CWE-918 |
| Vendor | axios |
| Product | axios |
| Published | Apr 24, 2026 |
Stay Ahead of the Next One
Get instant alerts for axios axios
Be the first to know when new medium vulnerabilities affecting axios axios are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None
Affected Versions
axios / axios
>= 1.0.0, < 1.15.1 < 0.31.1