7 matches found
CVE-2026-49411 Deno Node TCPWrap numeric hostname aliases bypass --deny-net resolved-IP deny checks
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.0, the Node.js compatibility TCP path checked the permission against the original hostname string before resolution and then did not re-check after resolution. A caller could therefore pass a numeric alias of an IP address fo...
GHSA-V8FW-85R8-5M23 Deno: Node TCPWrap numeric hostname aliases bypass --deny-net resolved-IP deny checks
Summary Deno's network permission model is designed so that --deny-net rules apply to the resolved IP address of a destination, not just the literal string supplied by the caller. That means --deny-net=127.0.0.1 or --deny-net=127.0.0.0/8 is expected to block any attempt to reach loopback,...
PT-2026-50148
Name of the Vulnerable Software and Affected Versions Deno versions prior to 2.8.0 Description The Node.js compatibility TCP path fails to re-verify network permissions after hostname resolution. While the network permission model is intended to apply rules to the resolved IP address, affected...
Axios: no_proxy bypass via IP alias allows SSRF
The fix for noproxy hostname normalization bypass 10661 is incomplete.When noproxy=localhost is set, requests to 127.0.0.1 and ::1 still route through the proxy instead of bypassing it. The shouldBypassProxy function does pure string matching ā it does not resolve IP aliases or loopback...
GHSA-M7PR-HJQH-92CM Axios: no_proxy bypass via IP alias allows SSRF
The fix for noproxy hostname normalization bypass 10661 is incomplete.When noproxy=localhost is set, requests to 127.0.0.1 and ::1 still route through the proxy instead of bypassing it. The shouldBypassProxy function does pure string matching ā it does not resolve IP aliases or loopback...
CVE-2026-42038 Axios: no_proxy bypass via IP alias allows SSRF
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, he fix for noproxy hostname normalization bypass is incomplete. When noproxy=localhost is set, requests to 127.0.0.1 and ::1 still route through the proxy instead of bypassing it. The shouldBypassProxy...
CVE-2026-42038
Axios no_proxy bypass via IP alias allows SSRF in older releases. Affected: Axios (browser/Node.js). Fault: shouldBypassProxy() uses pure string matching and does not resolve IP aliases or loopback equivalents, so requests to 127.0.0.1 or [::1] can be proxied when no_proxy=localhost. Impact: pote...