Axios: shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO

8.6 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Description

Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios does not normalise IPv4-mapped IPv6 addresses. When NO_PROXY lists an IPv4 address such as 127.0.0.1 or 169.254.169.254, a request URL using the IPv4-mapped IPv6 form (::ffff:7f00:1, ::ffff:a9fe:a9fe) still routes through the configured proxy. Node.js resolves these addresses to the underlying IPv4 host, so the request reaches the internal service via the proxy rather than being blocked. This vulnerability is fixed in 0.32.0 and 1.16.0.

AI Analysis

Axios does not normalize IPv4-mapped IPv6 addresses, allowing bypass of NO_PROXY restrictions

Basic Information

ID CVE-2026-44492

Source GitHub_M

Published Jun 11, 2026 at 15:29

Affected Product

Vendor axios

Product axios

Version >= 1.0.0, < 1.16.0

Affected Versions axios axios >= 1.0.0, < 1.16.0
axios axios < 0.32.0

CWE Classification

CWE-918

AI Assessment

AI Score 8.6 / 10

AI Severity High

Vendor Axios

Product Axios

Version < 0.32.0, >= 1.0.0, < 1.16.0

References

github.com /axios/axios/security/advisories/GHSA-pjwm-pj3p-43mv

{
    "lastseen": "",
    "description": "Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios does not normalise IPv4-mapped IPv6 addresses. When NO_PROXY lists an IPv4 address such as 127.0.0.1 or 169.254.169.254, a request URL using the IPv4-mapped IPv6 form (::ffff:7f00:1, ::ffff:a9fe:a9fe) still routes through the configured proxy. Node.js resolves these addresses to the underlying IPv4 host, so the request reaches the internal service via the proxy rather than being blocked. This vulnerability is fixed in 0.32.0 and 1.16.0.",
    "published": "2026-06-11T15:29:13.890Z",
    "modified": "2026-06-11T15:29:13.890Z",
    "type": "cve",
    "title": "Axios: shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)",
    "source": "GitHub_M",
    "references": "https://github.com/axios/axios/security/advisories/GHSA-pjwm-pj3p-43mv",
    "id": "CVE-2026-44492",
    "bulletinFamily": "",
    "cwe": [
        "CWE-918"
    ],
    "cvelist": null,
    "sourceData": "axios axios >= 1.0.0, < 1.16.0\naxios axios < 0.32.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.6,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "axios",
    "version": ">= 1.0.0, < 1.16.0",
    "vendor": "axios",
    "ai_description": "Axios does not normalize IPv4-mapped IPv6 addresses, allowing bypass of NO_PROXY restrictions",
    "ai_severity": "High",
    "ai_vendor": "Axios",
    "ai_product": "Axios",
    "ai_version": "< 0.32.0, >= 1.0.0, < 1.16.0",
    "ai_score": 8.6
}

Axios: shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)_CVE-2026-44492