Zero Day MonitorZDM

← Back to list

7.2

CVE-2026-42043PATCHED

axios · axios

Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0

Description

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range (other than 127.0.0.1) to completely bypass the NO_PROXY protection. This vulnerability is due to an incomplete for CVE-2025-62718, This vulnerability is fixed in 1.15.1 and 0.31.1.

Affected Products

Vendor	Product	Versions
axios	axios	npm/axios: >= 1.0.0, < 1.15.1, npm/axios: <= 0.31.0

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
ibm	app connect enterprise	cert_advisory	90%
ibm	license metric tool	cert_advisory	90%
npm	axios	GHSA	85%
red hat	openshift	cert_advisory	90%

References

https://github.com/axios/axios/security/advisories/GHSA-pmwg-cvhr-8vh7(x_refsource_CONFIRM)

Related News (4 articles)

Tier B

BSI Advisories3d ago

[NEU] [hoch] IBM License Metric Tool: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff

→ No new info (linked only)

Tier B

BSI Advisories17d ago

[NEU] [hoch] Kiali für Red Hat OpenShift Service Mesh (Axios, Go, Follow-redirects): Mehrere Schwachstellen

→ No new info (linked only)

Tier B

BSI Advisories19d ago

[NEU] [mittel] IBM App Connect Enterprise (Axios): Mehrere Schwachstellen

→ No new info (linked only)

Tier C

VulDB36d ago

CVE-2026-42043 | Axios up to 0.31.0/1.15.0 permissive list of allowed inputs (GHSA-pmwg-cvhr-8vh7)

→ No new info (linked only)

CVSS 3.17.2 HIGH

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CISA KEV❌ No

Actively exploited❌ No

Patch available

axios@1.15.1axios@0.31.1

CWECWE-183, CWE-441, CWE-918

PublishedApr 24, 2026

Last enriched36d agov2

Tags

GHSA-pmwg-cvhr-8vh7

Trending Score39

Source articles4

Independent2

Info Completeness8/14

Missing: epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

MEDIUMCVE-2025-62718EXP

Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF

MEDIUMCVE-2026-42034EXP

Axios: HTTP adapter streamed uploads bypass maxBodyLength when maxRedirects: 0

HIGHCVE-2026-42033EXP

Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking

HIGHCVE-2026-44490EXP

axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions

HIGHCVE-2026-42035EXP

Axios: Header Injection via Prototype Pollution

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 24, 2026

Discovered by ZDM

Apr 24, 2026

Updated: severity, tags

Apr 24, 2026

Patch Available

Apr 27, 2026

Version History

v2

Last enriched 36d ago

v2Tier C36d ago

Updated severity to CRITICAL, noted no exploit available, and added new tag GHSA-pmwg-cvhr-8vh7.

severitytags

via VulDB

v136d ago

Initial creation