Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
3936 articles · 175980 vulns · 37/41 feeds (7d)
← Back to list
7.2
CVE-2026-42043PATCHED
axios · axios

Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0

Description

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range (other than 127.0.0.1) to completely bypass the NO_PROXY protection. This vulnerability is due to an incomplete for CVE-2025-62718, This vulnerability is fixed in 1.15.1 and 0.31.1.

Affected Products

VendorProductVersions
axiosaxios>= 1.0.0, < 1.15.1, < 0.31.1

Also Affects

Downstream vendors/products affected by this vulnerability

VendorProductSourceConfidence
atlassianconfluencecert_advisory90%
atlassiancruciblecert_advisory90%
atlassianbamboocert_advisory90%
atlassianfisheyecert_advisory90%
atlassianbitbucketcert_advisory90%

References

  • https://github.com/axios/axios/security/advisories/GHSA-pmwg-cvhr-8vh7(x_refsource_CONFIRM)

Related News (8 articles)

Tier B
CERT-FR22d ago
Bulletin d'actualité CERTFR-2026-ACT-027 (22 juin 2026)
→ No new info (linked only)
Tier B
CERT-FR26d ago
Multiples vulnérabilités dans les produits Atlassian (18 juin 2026)
→ No new info (linked only)
Tier B
BSI Advisories27d ago
[NEU] [hoch] Atlassian Bamboo, Bitbucket, Confluence, Fisheye, Crucible, Jira und Jira Service Management: Mehrere Schwachstellen
→ No new info (linked only)
Tier B
CERT-FR39d ago
Multiples vulnérabilités dans les produits IBM (05 juin 2026)
→ No new info (linked only)
Tier B
BSI Advisories48d ago
[NEU] [hoch] IBM License Metric Tool: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff
→ No new info (linked only)
Tier B
BSI Advisories62d ago
[NEU] [hoch] Kiali für Red Hat OpenShift Service Mesh (Axios, Go, Follow-redirects): Mehrere Schwachstellen
→ No new info (linked only)
Tier B
BSI Advisories64d ago
[NEU] [mittel] IBM App Connect Enterprise (Axios): Mehrere Schwachstellen
→ No new info (linked only)
Tier C
VulDB81d ago
CVE-2026-42043 | Axios up to 0.31.0/1.15.0 permissive list of allowed inputs (GHSA-pmwg-cvhr-8vh7)
→ No new info (linked only)
CVSS 3.17.2 HIGH
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
CISA KEV❌ No
Actively exploited❌ No
Patch available
axios@1.15.1axios@0.31.1
CWECWE-183, CWE-441, CWE-918
PublishedApr 24, 2026
Last enriched81d agov2
Tags
GHSA-pmwg-cvhr-8vh7
Trending Score6
Source articles8
Independent3
Info Completeness8/14
Missing: epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

HIGHCVE-2026-42264
Axios: Prototype pollution read-side gadgets in HTTP adapter allow credential injection and request hijacking
Trending: 14
HIGHCVE-2026-44494EXP
Axios: Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`
Trending: 10
HIGHCVE-2026-44492
Axios: shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)
Trending: 3
HIGHCVE-2026-44496
Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection
Trending: 3
HIGHCVE-2026-44486
Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection
Trending: 3

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Apr 24, 2026
Discovered by ZDM
Apr 24, 2026
Updated: severity, tags
Apr 24, 2026
Patch Available
Jul 10, 2026

Version History

v2
Last enriched 81d ago
v2Tier C81d ago

Updated severity to CRITICAL, noted no exploit available, and added new tag GHSA-pmwg-cvhr-8vh7.

severitytags
via VulDB
v181d ago

Initial creation