Lucene search
+L

105 matches found

Github Security Blog
Github Security Blog
added 2026/05/05 12:40 a.m.12 views

Axios: no_proxy bypass via IP alias allows SSRF

The fix for noproxy hostname normalization bypass 10661 is incomplete.When noproxy=localhost is set, requests to 127.0.0.1 and ::1 still route through the proxy instead of bypassing it. The shouldBypassProxy function does pure string matching — it does not resolve IP aliases or loopback...

7.5CVSS5.8AI score0.00301EPSS
Exploits1References3Affected Software1
Patchstack
Patchstack
added 2026/05/05 12:20 a.m.9 views

NPM: Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0

NPM: Axios: Incomplete Fix for CVE-2025-62718 — NOPROXY Protection Bypassed via RFC 1122 Loopback Subnet 127.0.0.0/8 in Axios 1.15.0 vulnerability discovered by ? in WordPress Npm axios versions = 0.31.0...

10CVSS6.2AI score0.01161EPSS
Exploits2References3Affected Software1
EUVD
EUVD
added 2026/05/05 12:20 a.m.17 views

EUVD-2026-25608

Axios: Incomplete Fix for CVE-2025-62718 — NOPROXY Protection Bypassed via RFC 1122 Loopback Subnet 127.0.0.0/8 in Axios 1.15.0...

10CVSS6.2AI score0.01161EPSS
Exploits2References2
OSV
OSV
added 2026/05/05 12:20 a.m.5 views

GHSA-PMWG-CVHR-8VH7 Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0

Executive Summary This report documents an incomplete security patch for the previously disclosed vulnerability GHSA-3p68-rc4w-qgx5 CVE-2025-62718, which affects the NOPROXY hostname resolution logic in the Axios HTTP library. Background — The Original Vulnerability The original vulnerability...

7.2CVSS5.9AI score0.00661EPSS
Exploits1References3
Github Security Blog
Github Security Blog
added 2026/05/05 12:20 a.m.13 views

Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0

Executive Summary This report documents an incomplete security patch for the previously disclosed vulnerability GHSA-3p68-rc4w-qgx5 CVE-2025-62718, which affects the NOPROXY hostname resolution logic in the Axios HTTP library. Background — The Original Vulnerability The original vulnerability...

10CVSS6.3AI score0.01161EPSS
Exploits2References3Affected Software1
RedHat Linux
RedHat Linux
added 2026/05/04 11:37 p.m.11 views

axios: Axios: Server-Side Request Forgery and proxy bypass due to improper hostname normalization

A flaw was found in Axios, a promise-based HTTP client. This vulnerability occurs because Axios does not correctly handle hostname normalization when evaluating NOPROXY rules. An attacker can exploit this by crafting requests to loopback addresses e.g., localhost. or ::1 which bypass the NOPROXY...

9.9CVSS6.2AI score0.01161EPSS
Exploits1References10
IBM Security Bulletins
IBM Security Bulletins
added 2026/05/04 12:10 p.m.7 views

Security Bulletin: Axios NO_PROXY Bypass via Improper Hostname Normalization Leads to SSRF

Summary Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NOPROXY rules. Requests to loopback addresses like localhost. with a trailing dot or ::1 IPv6 literal skip NOPROXY matching an...

9.9CVSS6.2AI score0.01815EPSS
Exploits6Affected Software1
RedhatCVE
RedhatCVE
added 2026/04/29 9:0 a.m.13 views

CVE-2026-42038

A flaw was found in Axios, a software library used for making web requests. This vulnerability allows an attacker to bypass the noproxy configuration, which is designed to prevent certain internal network requests from being sent through an external proxy. Specifically, when noproxy=localhost is...

7.5CVSS5.3AI score0.00301EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/04/29 12:0 a.m.24 views

PT-2026-36111

Name of the Vulnerable Software and Affected Versions pygeoapi versions 0.23.0 through 0.23.2 Description A raw string path concatenation issue in the STAC FileSystemProvider plugin allows requests to STAC collection based collections to expose directories without authentication. This occurs when...

7.5CVSS5.8AI score0.0051EPSS
Exploits0References16
OSV
OSV
added 2026/04/27 6:33 p.m.12 views

JLSEC-2026-268 Issue summary: An application using the OpenSSL HTTP client API functions may trigger an out-of...

Issue summary: An application using the OpenSSL HTTP client API functions may trigger an out-of-bounds read if the 'noproxy' environment variable is set and the host portion of the authority component of the HTTP URL is an IPv6 address. Impact summary: An out-of-bounds read can trigger a crash...

5.9CVSS6.8AI score0.02093EPSS
Exploits0References15
Tenable Nessus
Tenable Nessus
added 2026/04/27 12:0 a.m.6 views

Linux Distros Unpatched Vulnerability : CVE-2026-42043

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request c...

10CVSS5.8AI score0.00661EPSS
Exploits1References4
Tenable Nessus
Tenable Nessus
added 2026/04/27 12:0 a.m.9 views

Linux Distros Unpatched Vulnerability : CVE-2026-42038

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, he fix for noproxy hostname normalization bypass is incomplete. Wh...

7.5CVSS5.9AI score0.00301EPSS
Exploits1References4
NVD
NVD
added 2026/04/24 6:16 p.m.16 views

CVE-2026-42043

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range other than 127.0.0.1 to completely bypass the NOPROXY protection. This vulnerability is due t...

10CVSS0.00661EPSS
Exploits1References41
CVE
CVE
added 2026/04/24 5:57 p.m.81 views

CVE-2026-42038

Axios no_proxy bypass via IP alias allows SSRF in older releases. Affected: Axios (browser/Node.js). Fault: shouldBypassProxy() uses pure string matching and does not resolve IP aliases or loopback equivalents, so requests to 127.0.0.1 or [::1] can be proxied when no_proxy=localhost. Impact: pote...

7.5CVSS5.3AI score0.00301EPSS
Exploits1References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/24 5:57 p.m.7 views

CVE-2026-42038 Axios: no_proxy bypass via IP alias allows SSRF

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, he fix for noproxy hostname normalization bypass is incomplete. When noproxy=localhost is set, requests to 127.0.0.1 and ::1 still route through the proxy instead of bypassing it. The shouldBypassProxy...

6.8CVSS5.3AI score0.00301EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/04/24 5:54 p.m.43 views

CVE-2026-42043 Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range other than 127.0.0.1 to completely bypass the NOPROXY protection. This vulnerability is due t...

7.2CVSS0.00661EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/04/24 5:54 p.m.6 views

CVE-2026-42043 Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range other than 127.0.0.1 to completely bypass the NOPROXY protection. This vulnerability is due t...

7.2CVSS5.3AI score0.00661EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/04/24 5:54 p.m.9 views

CVE-2026-42043

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range other than 127.0.0.1 to completely bypass the NOPROXY protection. This vulnerability is due t...

9.9CVSS5.3AI score0.01161EPSS
Exploits2References2Affected Software1
CVE
CVE
added 2026/04/24 5:54 p.m.275 views

CVE-2026-42043

Axios: CVE-2026-42043 affects Axios versions prior to 1.15.1 and 0.31.1, where an attacker controlling the request URL could bypass NO_PROXY by using loopback 127.0.0.0/8 addresses (except 127.0.0.1). Root cause is an incomplete fix for CVE-2025-62718. Impact is potential exposure via proxy/SSRF ...

10CVSS5.2AI score0.00661EPSS
Exploits1References41Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/24 12:0 a.m.7 views

PT-2026-35052

Name of the Vulnerable Software and Affected Versions Axios versions prior to 1.15.1 Axios versions prior to 0.31.1 Description An attacker capable of influencing the target URL of a request can bypass the NO PROXY protection by using any address in the 127.0.0.0/8 range, excluding 127.0.0.1...

10CVSS5.2AI score0.00661EPSS
Exploits1References258
Rows per page
Query Builder