Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
3936 articles · 175980 vulns · 37/41 feeds (7d)
← Back to list
7.5
CVE-2026-44486PATCHED
axios · axios

Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection

Description

Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’ Node.js HTTP adapter can leak proxy credentials to a redirect target in affected versions. When a request is sent through an authenticated proxy, Axios may add a Proxy-Authorization header. If Axios then follows a redirect and the redirected request is no longer sent through that proxy, the stale Proxy-Authorization header can remain on the redirected request and be sent to the redirect target. This affects Node.js's use of Axios with automatic redirects enabled and an authenticated proxy configuration. Browser adapters are not affected. This vulnerability is fixed in 0.32.0 and 1.16.0.

Affected Products

VendorProductVersions
axiosaxios>= 1.0.0, < 1.16.0, < 0.32.0

Also Affects

Downstream vendors/products affected by this vulnerability

VendorProductSourceConfidence
atlassianfisheyecert_advisory90%
atlassianconfluencecert_advisory90%
atlassianbamboocert_advisory90%
atlassiancruciblecert_advisory90%
atlassianjiracert_advisory90%

References

  • https://github.com/axios/axios/security/advisories/GHSA-j5f8-grm9-p9fc(x_refsource_CONFIRM)

Related News (2 articles)

Tier B
BSI Advisories27d ago
[NEU] [hoch] Atlassian Bamboo, Bitbucket, Confluence, Fisheye, Crucible, Jira und Jira Service Management: Mehrere Schwachstellen
→ No new info (linked only)
Tier C
VulDB33d ago
CVE-2026-44486 | Axios up to 0.31.x/1.15.x Header Proxy-Authorization information disclosure
→ No new info (linked only)
CVSS 3.17.5 HIGH
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA KEV❌ No
Actively exploited❌ No
Patch available
axios@1.16.0axios@0.32.0
CWECWE-200
PublishedJun 4, 2026
Tags
GHSA-j5f8-grm9-p9fcnpm
Trending Score3
Source articles2
Independent2
Info Completeness0/14
Missing: cve_id, title, description, vendor, product, versions, cvss, epss, cwe, kev, exploit, patch, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

HIGHCVE-2026-42264
Axios: Prototype pollution read-side gadgets in HTTP adapter allow credential injection and request hijacking
Trending: 14
HIGHCVE-2026-44494EXP
Axios: Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`
Trending: 10
HIGHCVE-2026-42043
Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0
Trending: 6
HIGHCVE-2026-44492
Axios: shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)
Trending: 3
HIGHCVE-2026-44496
Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection
Trending: 3

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jun 4, 2026
Discovered by ZDM
Jun 4, 2026
Patch Available
Jul 10, 2026