CVE-2026-42038Server-Side Request Forgery in Axios

CWE-918Server-Side Request ForgeryCWE-1220Insufficient Granularity of Access Control4 documents4 sources
Severity
6.8MEDIUMNVD
EPSS
0.0%
top 90.33%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
58
Axios3scale-amp2 System-rhel73scale-amp2 System-rhel8+55 more
Timeline
PublishedApr 24

Description

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, he fix for no_proxy hostname normalization bypass is incomplete. When no_proxy=localhost is set, requests to 127.0.0.1 and [::1] still route through the proxy instead of bypassing it. The shouldBypassProxy() function does pure string matching — it does not resolve IP aliases or loopback equivalents. This vulnerability is fixed in 1.15.1 and 0.31.1.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:NExploitability: 2.2 | Impact: 4.0

Affected Packages59 packages

CVEListV5axios/axios< 0.31.1+1
Red Hataxios/axios
Red Hatboost/boost
Red Hatgrafana/grafana

🔴Vulnerability Details

1
VulDB
Axios up to 0.31.0/1.15.0 Normalization shouldBypassProxy server-side request forgery (GHSA-m7pr-hjqh-92cm)2026-04-24

📋Vendor Advisories

1
Red Hat
axios: Axios: Information disclosure due to `no_proxy` bypass2026-04-24

💬Community

1
Bugzilla
CVE-2026-42038 axios: Axios: Information disclosure due to `no_proxy` bypass2026-04-24
CVE-2026-42038 — Server-Side Request Forgery in Axios | cvebase