CVE-2026-42043

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range (other than 127.0.0.1) to completely bypass the NO_PROXY protection. This vulnerability is due to an incomplete for CVE-2025-62718, This vulnerability is fixed in 1.15.1 and 0.31.1.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/axios/axios/security/advisories/GHSA-pmwg-cvhr-8vh7	Exploit Mitigation Vendor Advisory
https://github.com/axios/axios/security/advisories/GHSA-pmwg-cvhr-8vh7	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:axios:axios::::::node.js::*
	cpe:2.3:a:axios:axios::::::node.js::*

History

27 Apr 2026, 20:05

Type	Values Removed	Values Added
CPE		cpe:2.3:a:axios:axios::::::node.js::*
References	~~() https://github.com/axios/axios/security/advisories/GHSA-pmwg-cvhr-8vh7 -~~	() https://github.com/axios/axios/security/advisories/GHSA-pmwg-cvhr-8vh7 - Exploit, Mitigation, Vendor Advisory
First Time		Axios axios Axios

27 Apr 2026, 14:16

Type	Values Removed	Values Added
References	~~() https://github.com/axios/axios/security/advisories/GHSA-pmwg-cvhr-8vh7 -~~	() https://github.com/axios/axios/security/advisories/GHSA-pmwg-cvhr-8vh7 -

24 Apr 2026, 18:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-24 18:16

Updated : 2026-04-27 20:05

NVD link : CVE-2026-42043

Mitre link : CVE-2026-42043

CVE.ORG link : CVE-2026-42043

JSON object : View

Products Affected

axios

axios

CWE

CWE-183

Permissive List of Allowed Inputs

CWE-441

Unintended Proxy or Intermediary ('Confused Deputy')

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2026-42043", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 10.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 3.9}]}, "published": "2026-04-24T18:16:31.457", "references": [{"url": "https://github.com/axios/axios/security/advisories/GHSA-pmwg-cvhr-8vh7", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/axios/axios/security/advisories/GHSA-pmwg-cvhr-8vh7", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-183"}, {"lang": "en", "value": "CWE-441"}, {"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range (other than 127.0.0.1) to completely bypass the NO_PROXY protection. This vulnerability is due to an incomplete for CVE-2025-62718, This vulnerability is fixed in 1.15.1 and 0.31.1."}], "lastModified": "2026-04-27T20:05:04.370", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:axios:axios:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "7D2B28C9-026E-4CD6-BD17-7EDD42108106", "versionEndExcluding": "0.31.1"}, {"criteria": "cpe:2.3:a:axios:axios:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "3EC1EF30-EBB8-410B-90FB-1F18A3545C2E", "versionEndExcluding": "1.15.1", "versionStartIncluding": "1.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}