Node.js Module axios < 0.32.0 / 1.x < 1.16.0 NO_PROXY Bypass (SSRF)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(318801);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/06/05");

  script_cve_id("CVE-2026-44492");
  script_xref(name:"IAVA", value:"2026-A-0534");

  script_name(english:"Node.js Module axios < 0.32.0 / 1.x < 1.16.0 NO_PROXY Bypass (SSRF)");

  script_set_attribute(attribute:"synopsis", value:
"A module in the Node.js JavaScript run-time environment is affected by a server-side request forgery vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of the axios Node.js module installed on the remote host is prior to 0.32.0 or 1.x prior to 1.16.0. It
is, therefore, affected by the following vulnerability:

  - shouldBypassProxy, introduced in v1.15.0 to fix CVE-2025-62718, does not normalise IPv4-mapped IPv6
    addresses. When NO_PROXY lists an IPv4 address such as 127.0.0.1 or 169.254.169.254, a request URL using
    the IPv4-mapped IPv6 form still routes through the configured proxy. Node.js resolves these addresses to
    the underlying IPv4 host, so the request reaches the internal service via the proxy rather than being
    blocked. (CVE-2026-44492)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://github.com/advisories/GHSA-pjwm-pj3p-43mv");
  script_set_attribute(attribute:"solution", value:
"Upgrade to axios version 0.32.0 / 1.16.0 or later.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-44492");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/05/29");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/05/29");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/06/05");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"asset_categories", value:"component");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:axios:axios");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("nodejs_modules_win_installed.nbin", "nodejs_modules_linux_installed.nbin", "nodejs_modules_mac_installed.nbin");
  script_require_keys("installed_sw/Node.js", "Host/nodejs/modules/enumerated");

  exit(0);
}

include('vcf_extras_nodejs.inc');

var app_info = vcf_extras::nodejs_modules::get_app_info(app:'axios');

if (empty_or_null(app_info))
  audit(AUDIT_NOT_INST, 'axios');

vcf::check_all_backporting(app_info:app_info);

var constraints = [
  { 'fixed_version' : '0.32.0' },
  { 'min_version' : '1.0.0', 'fixed_version' : '1.16.0' }
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);