8.6

CVE-2026-44492

Exploit

Axios: shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)

Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios does not normalise IPv4-mapped IPv6 addresses. When NO_PROXY lists an IPv4 address such as 127.0.0.1 or 169.254.169.254, a request URL using the IPv4-mapped IPv6 form (::ffff:7f00:1, ::ffff:a9fe:a9fe) still routes through the configured proxy. Node.js resolves these addresses to the underlying IPv4 host, so the request reaches the internal service via the proxy rather than being blocked. This vulnerability is fixed in 0.32.0 and 1.16.0.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
AxiosAxios SwPlatformnode.js Version < 0.32.0
AxiosAxios SwPlatformnode.js Version >= 1.0.0 < 1.16.0
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.92% 0.559
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-advisories@github.com 8.6 3.9 4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 8.6 3.9 4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CWE-289 Authentication Bypass by Alternate Name

The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://bugzilla.redhat.com/show_bug.cgi?id=2487938
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-44492.json
https://access.redhat.com/errata/RHSA-2026:20889
https://access.redhat.com/errata/RHSA-2026:20938
https://access.redhat.com/errata/RHSA-2026:26234
https://access.redhat.com/errata/RHSA-2026:33574
https://access.redhat.com/errata/RHSA-2026:29197
https://access.redhat.com/errata/RHSA-2026:30651
https://access.redhat.com/errata/RHSA-2026:33155
https://access.redhat.com/errata/RHSA-2026:33160
https://access.redhat.com/errata/RHSA-2026:33163
https://access.redhat.com/errata/RHSA-2026:33173
https://access.redhat.com/errata/RHSA-2026:33183
https://access.redhat.com/errata/RHSA-2026:30650
https://access.redhat.com/errata/RHSA-2026:27044
https://access.redhat.com/errata/RHSA-2026:27063
https://access.redhat.com/errata/RHSA-2026:28964
https://access.redhat.com/errata/RHSA-2026:29082
https://github.com/axios/axios/security/advisories/GHSA-pjwm-pj3p-43mv
Vendor Advisory
Exploit
Mitigation
https://access.redhat.com/errata/RHSA-2026:33005
https://access.redhat.com/errata/RHSA-2026:36108
https://access.redhat.com/security/cve/CVE-2026-44492
https://access.redhat.com/errata/RHSA-2026:36820
https://access.redhat.com/errata/RHSA-2026:36882
https://access.redhat.com/errata/RHSA-2026:34766
https://access.redhat.com/errata/RHSA-2026:36754
https://access.redhat.com/errata/RHSA-2026:36883