Lucene search
K

17 matches found

RedHat Linux
RedHat Linux
added 2026/06/10 3:39 p.m.7 views

axios: Axios: NO_PROXY bypass via crafted URL

A flaw was found in Axios, a promise-based HTTP client. An attacker who can control the destination address of an Axios request can exploit this vulnerability. By using specific internal network addresses within the 127.0.0.0/8 range, excluding 127.0.0.1, the attacker can completely bypass the...

10CVSS7.5AI score0.00661EPSS
Exploits1References5
SUSE CVE
SUSE CVE
added 2026/06/04 2:24 a.m.9 views

SUSE CVE-2026-42043

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range other than 127.0.0.1 to completely bypass the NOPROXY protection. This vulnerability is due t...

10CVSS5.8AI score0.00661EPSS
Exploits1References3
RedHat Linux
RedHat Linux
added 2026/06/02 5:41 p.m.19 views

axios: Axios: NO_PROXY bypass via crafted URL

A flaw was found in Axios, a promise-based HTTP client. An attacker who can control the destination address of an Axios request can exploit this vulnerability. By using specific internal network addresses within the 127.0.0.0/8 range, excluding 127.0.0.1, the attacker can completely bypass the...

10CVSS5.7AI score0.00661EPSS
Exploits1References5
Github Security Blog
Github Security Blog
added 2026/05/05 12:20 a.m.13 views

Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0

Executive Summary This report documents an incomplete security patch for the previously disclosed vulnerability GHSA-3p68-rc4w-qgx5 CVE-2025-62718, which affects the NOPROXY hostname resolution logic in the Axios HTTP library. Background — The Original Vulnerability The original vulnerability...

10CVSS6.3AI score0.01186EPSS
Exploits2References3Affected Software1
OSV
OSV
added 2026/05/05 12:20 a.m.4 views

GHSA-PMWG-CVHR-8VH7 Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0

Executive Summary This report documents an incomplete security patch for the previously disclosed vulnerability GHSA-3p68-rc4w-qgx5 CVE-2025-62718, which affects the NOPROXY hostname resolution logic in the Axios HTTP library. Background — The Original Vulnerability The original vulnerability...

7.2CVSS5.9AI score0.00661EPSS
Exploits1References3
Veracode
Veracode
added 2026/04/28 8:57 a.m.11 views

Proxy Bypass

Axios is vulnerable to Proxy Bypass. The vulnerability is due to incomplete NOPROXY handling for loopback addresses, where requests to the 127.0.0.0/8 range excluding 127.0.0.1 bypass proxy restrictions, allowing attackers to access internal or local services despite configured protections...

10CVSS5.2AI score0.00661EPSS
Exploits1References41Affected Software1
NVD
NVD
added 2026/04/24 6:16 p.m.16 views

CVE-2026-42043

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range other than 127.0.0.1 to completely bypass the NOPROXY protection. This vulnerability is due t...

10CVSS0.00661EPSS
Exploits1References41
ATTACKERKB
ATTACKERKB
added 2026/04/24 5:54 p.m.9 views

CVE-2026-42043

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range other than 127.0.0.1 to completely bypass the NOPROXY protection. This vulnerability is due t...

9.9CVSS5.3AI score0.01186EPSS
Exploits2References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/24 5:54 p.m.6 views

CVE-2026-42043 Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range other than 127.0.0.1 to completely bypass the NOPROXY protection. This vulnerability is due t...

7.2CVSS5.3AI score0.00661EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/04/24 5:54 p.m.38 views

CVE-2026-42043 Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range other than 127.0.0.1 to completely bypass the NOPROXY protection. This vulnerability is due t...

7.2CVSS0.00661EPSS
Exploits1References1
CVE
CVE
added 2026/04/24 5:54 p.m.265 views

CVE-2026-42043

Axios: CVE-2026-42043 affects Axios versions prior to 1.15.1 and 0.31.1, where an attacker controlling the request URL could bypass NO_PROXY by using loopback 127.0.0.0/8 addresses (except 127.0.0.1). Root cause is an incomplete fix for CVE-2025-62718. Impact is potential exposure via proxy/SSRF ...

10CVSS5.2AI score0.00661EPSS
Exploits1References41Affected Software1
CNNVD
CNNVD
added 2026/04/24 12:0 a.m.9 views

Axios 安全漏洞

Axios is an open-source HTTP client developed by Axios. Versions prior to Axios 1.15.1 and 0.31.1 contain security vulnerabilities. These vulnerabilities allow attackers to influence the target URL of Axios requests, enabling them to bypass the NOPROXY protection by using any address within the...

10CVSS5.8AI score0.00661EPSS
Exploits1References1
OpenVAS
OpenVAS
added 2025/05/07 12:0 a.m.3 views

Configure the iptables Policies for Loopback Properly

The loopback address 127.0.0.0/8 is a special address on a server. It is irrelevant to NICs and is mainly used for the inter-process communication of a local device. Packets with the source address 127.0.0.0/8 from NICs should be discarded. If policies related to the loopback address are improper...

6.8AI score
Exploits0References2
OSV
OSV
added 2024/09/18 5:42 p.m.2 views

GHSA-68G8-C275-XF2M Directus vulnerable to SSRF Loopback IP filter bypass

Impact If you're relying on blocking access to localhost using the default 0.0.0.0 filter this can be bypassed using other registered loopback devices like 127.0.0.2 - 127.127.127.127 Workaround You can block this bypass by manually adding the 127.0.0.0/8 CIDR range which will block access to any...

5.3CVSS5.9AI score0.00463EPSS
Exploits0References7
Cvelist
Cvelist
added 2024/05/01 6:27 a.m.35 views

CVE-2024-23336 Incomplete disallowed remote addresses list in MyBB

MyBB is a free and open source forum software. The default list of disallowed remote hosts does not contain the 127.0.0.0/8 block, which may result in a Server-Side Request Forgery SSRF vulnerability. The Configuration File's Disallowed Remote Addresses list $config'disallowedremoteaddresses'...

5CVSS5.6AI score0.00457EPSS
Exploits0References4
OSV
OSV
added 2014/11/25 11:59 p.m.3 views

DEBIAN-CVE-2014-9038

wp-includes/http.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to conduct server-side request forgery SSRF attacks by referring to a 127.0.0.0/8 resource...

6.4CVSS7AI score0.03772EPSS
Exploits0References1
Debian CVE
Debian CVE
added 2014/11/25 11:0 p.m.24 views

CVE-2014-9038

wp-includes/http.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to conduct server-side request forgery SSRF attacks by referring to a 127.0.0.0/8 resource...

6.4CVSS5.7AI score0.03772EPSS
Exploits0
Rows per page
Query Builder