Node.js Module axios < 1.15.1 Multiple Vulnerabilities

The version of the axios Node.js module installed on the remote host is prior to 1.15.1. It is, therefore, affected by multiple vulnerabilities: - Prototype pollution gadgets in axios allow response tampering, data exfiltration, and request hijacking. CVE-2026-42033 - Axios' HTTP adapter-streamed...

CVE-2026-42038

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, he fix for noproxy hostname normalization bypass is incomplete. When noproxy=localhost is set, requests to 127.0.0.1 and ::1 still route through the proxy instead of bypassing it. The shouldBypassProxy...

CVE-2026-42038

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, he fix for noproxy hostname normalization bypass is incomplete. When noproxy=localhost is set, requests to 127.0.0.1 and ::1 still route through the proxy instead of bypassing it. The shouldBypassProxy...

CVE-2026-42038 Axios: no_proxy bypass via IP alias allows SSRF

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, he fix for noproxy hostname normalization bypass is incomplete. When noproxy=localhost is set, requests to 127.0.0.1 and ::1 still route through the proxy instead of bypassing it. The shouldBypassProxy...

curl: no_proxy IDN mismatch: Unicode hostnames bypass proxy exclusion list

Summary Unicode IDN hostnames in noproxy are never converted to punycode before comparison, so they never match the request hostname which curl has already converted to punycode. A user who types noproxy="bücher.de" and requests http://bücher.de/ expects the proxy to be bypassed. Instead curl...

SUSE SLES16 Security Update : openssl-3 (SUSE-SU-2025:21213-1)

The remote SUSE Linux SLES16 / SLESSAP16 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:21213-1 advisory. - CVE-2025-9230: Fixed out-of-bounds read & write in RFC 3211 KEK unwrap bsc1250232 - CVE-2025-9231: Fixedk timing side-channel in...

MGASA-2025-0241 Updated quictls packages with two security issues and bug fixes

Two security issues and miscellaneous minor bug fixes. Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap. CVE-2025-9230 Fix Out-of-bounds read in HTTP client noproxy handling. CVE-2025-9232...

EUVD-2025-31727

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2025-9232

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Issue summary: An application using the OpenSSL HTTP client API functions may trigger an out-of-bounds read if the 'noproxy' environment variable is set and the...

OpenSSL 3.2.0 < 3.2.6 Multiple Vulnerabilities

The version of OpenSSL installed on the remote host is prior to 3.2.6. It is, therefore, affected by multiple vulnerabilities as referenced in the 3.2.6 advisory. - Issue summary: A timing side-channel which could potentially allow remote recovery of the private key exists in the SM2 algorithm...

FreeBSD : OpenSSL -- multiple vulnerabilities (00e912c5-9e92-11f0-bc5f-8447094a420f)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 00e912c5-9e92-11f0-bc5f-8447094a420f advisory. The OpenSSL project reports reports: Out-of-bounds read & write in RFC 3211 KEK Unwrap Timing...

CVE-2025-9232

Issue summary: An application using the OpenSSL HTTP client API functions may trigger an out-of-bounds read if the 'noproxy' environment variable is set and the host portion of the authority component of the HTTP URL is an IPv6 address. Impact summary: An out-of-bounds read can trigger a crash...

ALPINE-CVE-2025-9232

Issue summary: An application using the OpenSSL HTTP client API functions may trigger an out-of-bounds read if the 'noproxy' environment variable is set and the host portion of the authority component of the HTTP URL is an IPv6 address. Impact summary: An out-of-bounds read can trigger a crash...

CVE-2025-9232

CVE-2025-9232 involves OpenSSL HTTP client API functions; the vulnerability is an out-of-bounds read when the environment variable no_proxy is set and the URL’s authority host is IPv6, causing potential Denial of Service via a crash. The issue is rooted in HTTP client handling introduced in patch...

OpenSSL 3.3.0 < 3.3.5 Multiple Vulnerabilities

The version of OpenSSL installed on the remote host is prior to 3.3.5. It is, therefore, affected by multiple vulnerabilities as referenced in the 3.3.5 advisory. - Issue summary: A timing side-channel which could potentially allow remote recovery of the private key exists in the SM2 algorithm...

OpenSSL 3.0.0 < 3.0.18 Multiple Vulnerabilities

The version of OpenSSL installed on the remote host is prior to 3.0.18. It is, therefore, affected by multiple vulnerabilities as referenced in the 3.0.18 advisory. - Issue summary: An application using the OpenSSL HTTP client API functions may trigger an out-of-bounds read if the 'noproxy'...

FreeBSD-SA-25:08.openssl

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-25:08.openssl Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities in OpenSSL Category: contrib Module: openssl Announced: 2025-09-30 Credits:...

CVE-2025-22870

A flaw was found in proxy host matching. This vulnerability allows improper bypassing of proxy settings via manipulating an IPv6 zone ID, causing unintended matches against the NOPROXY environment variable. Mitigation Mitigation for this issue is either not available or the currently available...

HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NOPROXY environment variable is set to ".example.com", a request to "::1%25.example.com:80 will incorrectly match and not be proxied...

CVE-2025-22870

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NOPROXY environment variable is set to ".example.com", a request to "::1%25.example.com:80 will incorrectly match and not be proxied...