Zero Day MonitorZDM

← Back to list

6.8

CVE-2026-42038EXPLOITEDPATCHED

axios · axios

Axios: no_proxy bypass via IP alias allows SSRF

Description

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, he fix for no_proxy hostname normalization bypass is incomplete. When no_proxy=localhost is set, requests to 127.0.0.1 and [::1] still route through the proxy instead of bypassing it. The shouldBypassProxy() function does pure string matching — it does not resolve IP aliases or loopback equivalents. This vulnerability is fixed in 1.15.1 and 0.31.1.

Affected Products

Vendor	Product	Versions
axios	axios	npm/axios: >= 1.0.0, < 1.15.1, npm/axios: <= 0.31.0

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
ibm	app connect enterprise	cert_advisory	90%
npm	axios	GHSA	85%

References

https://github.com/axios/axios/security/advisories/GHSA-m7pr-hjqh-92cm(x_refsource_CONFIRM)

Related News (2 articles)

Tier B

BSI Advisories10h ago

[NEU] [mittel] IBM App Connect Enterprise (Axios): Mehrere Schwachstellen

→ No new info (linked only)

Tier C

VulDB17d ago

CVE-2026-42038 | Axios up to 0.31.0/1.15.0 Normalization shouldBypassProxy server-side request forgery (GHSA-m7pr-hjqh-92cm)

→ No new info (linked only)

CVSS 3.16.8 MEDIUM

VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

axios@1.15.1axios@0.31.1

CWECWE-918

PublishedApr 24, 2026

Last enriched17d agov2

Trending Score59

Source articles2

Independent2

Info Completeness8/14

Missing: epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

MEDIUMCVE-2026-42034EXP

Axios: HTTP adapter streamed uploads bypass maxBodyLength when maxRedirects: 0

HIGHCVE-2026-42033EXP

Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking

HIGHCVE-2026-42035EXP

Axios: Header Injection via Prototype Pollution

MEDIUMCVE-2026-42044EXP

Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`

MEDIUMCVE-2026-42041EXP

Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 24, 2026

Discovered by ZDM

Apr 24, 2026

Updated: severity, activelyExploited

Apr 24, 2026

Actively Exploited

Apr 27, 2026

Patch Available

Apr 27, 2026

Version History

v2

Last enriched 17d ago

v2Tier C17d ago

Updated severity to CRITICAL and marked the vulnerability as actively exploited.

severityactivelyExploited

via VulDB

v117d ago

Initial creation