vCenter Server - Improper Access Control

Rhttproxy as used in vCenter Server contains a vulnerability due to improper implementation of URI normalization. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to bypass proxy leading to internal endpoints being accessed. id: CVE-2021-22017 info: name:...

CVE-2026-44492

A flaw was found in Axios, a promise-based HTTP client. This vulnerability occurs because Axios does not properly normalize IPv4-mapped IPv6 addresses. When a NOPROXY setting is configured to block direct access to specific IPv4 addresses, an attacker can bypass this restriction by using the...

CVE-2026-44492

CVE-2026-44492 affects Axios where IPv4-mapped IPv6 addresses were not normalised before versions 0.32.0 and 1.16.0, causing NO_PROXY bypass for addresses like 127.0.0.1 or 169.254.169.254 and allowing proxy routing to reach internal services. The connected documents confirm the issue and state i...

CVE-2026-44492 Axios: shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)

Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios does not normalise IPv4-mapped IPv6 addresses. When NOPROXY lists an IPv4 address such as 127.0.0.1 or 169.254.169.254, a request URL using the IPv4-mapped IPv6 form ::ffff:7f00:1, ::ffff:a9fe:a9fe...

CVE-2026-44492 Axios: shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)

Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios does not normalise IPv4-mapped IPv6 addresses. When NOPROXY lists an IPv4 address such as 127.0.0.1 or 169.254.169.254, a request URL using the IPv4-mapped IPv6 form ::ffff:7f00:1, ::ffff:a9fe:a9fe...

EUVD-2026-36255

Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios does not normalise IPv4-mapped IPv6 addresses. When NOPROXY lists an IPv4 address such as 127.0.0.1 or 169.254.169.254, a request URL using the IPv4-mapped IPv6 form ::ffff:7f00:1, ::ffff:a9fe:a9fe...

Security Bulletin: IBM Maximo Scheduler Optimizer uses axios-1.13.5.tgz which is vulnerable to CVE-2025-62718

Summary IBM Maximo Scheduler Optimizer uses axios-1.13.5.tgz which is vulnerable to CVE-2025-62718. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2025-62718 DESCRIPTION: Axios is a promise based HTTP client for the browser and...

Axios 代码问题漏洞

Axios is an open-source HTTP client developed by Axios, based on Promise a solution for asynchronous programming. There were code-related vulnerabilities in versions of Axios before 0.32.0 and 1.16.0. These vulnerabilities stemmed from unnormalized IPv4-to-Ipv6 address mappings, which could lead ...

axios: Axios: NO_PROXY bypass via crafted URL

A flaw was found in Axios, a promise-based HTTP client. An attacker who can control the destination address of an Axios request can exploit this vulnerability. By using specific internal network addresses within the 127.0.0.0/8 range, excluding 127.0.0.1, the attacker can completely bypass the...

axios: Axios: Server-Side Request Forgery and proxy bypass due to improper hostname normalization

A flaw was found in Axios, a promise-based HTTP client. This vulnerability occurs because Axios does not correctly handle hostname normalization when evaluating NOPROXY rules. An attacker can exploit this by crafting requests to loopback addresses e.g., localhost. or ::1 which bypass the NOPROXY...

Security Bulletin: Langflow OSS affected by vulnerabilies in Axios versions prior to 1.15.0

Summary Langflow OSS affected by vulnerabilies in Axios versions prior to 1.15.0 Vulnerability Details CVEID:CVE-2025-62718 DESCRIPTION: Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checki...

Security Bulletin: A vulnerability in the Axios package affects IBM® Db2® Big SQL on IBM Cloud Pak for Data.

Summary A vulnerability in the Axios package affects IBM® Db2® Big SQL 8 and earlier on IBM Cloud Pak for Data 5.3.1 and earlier. Vulnerability Details CVEID:CVE-2025-62718 DESCRIPTION: Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not...

Node.js Module axios < 0.32.0 / 1.x < 1.16.0 NO_PROXY Bypass (SSRF)

The version of the axios Node.js module installed on the remote host is prior to 0.32.0 or 1.x prior to 1.16.0. It is, therefore, affected by the following vulnerability: - shouldBypassProxy, introduced in v1.15.0 to fix CVE-2025-62718, does not normalise IPv4-mapped IPv6 addresses. When NOPROXY...

SUSE CVE-2026-42043

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range other than 127.0.0.1 to completely bypass the NOPROXY protection. This vulnerability is due t...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in axios-1.12.2.tgz

Summary IBM Watson Discovery Cartridge affected by vulnerability in axios-1.12.2.tgz Vulnerability Details CVEID:CVE-2025-62718 DESCRIPTION: Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when...

curl: curl/libcurl 8.20.0 NOPROXY bypass via uppercase-hex IPv4 aliases leaks off-proxy Basic credentials to the configured proxy

Summary: curl/libcurl 8.20.0 fails to enforce CURLOPTNOPROXY, --noproxy, and NOPROXY consistently for uppercase-hex IPv4 aliases such as 0X7f.1 on glibc-based systems that accept these legacy numeric IPv4 forms. When a canonical IP literal is excluded from proxying, curl sends the canonical form...

Security Bulletin: Multiple Vulnerabilities in IBM Aspera Enterprise WebApps

Summary Multiple Vulnerabilities Addressed in IBM Aspera Enterprise WebApps Version 1.0.3 Vulnerability Details CVEID:CVE-2025-62718 DESCRIPTION: Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization wh...

axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)

Summary shouldBypassProxy, introduced in v1.15.0 to fix CVE-2025-62718, does not normalise IPv4-mapped IPv6 addresses. When NOPROXY lists an IPv4 address such as 127.0.0.1 or 169.254.169.254, a request URL using the IPv4-mapped IPv6 form ::ffff:7f00:1, ::ffff:a9fe:a9fe still routes through the...

GHSA-PJWM-PJ3P-43MV axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)

Summary shouldBypassProxy, introduced in v1.15.0 to fix CVE-2025-62718, does not normalise IPv4-mapped IPv6 addresses. When NOPROXY lists an IPv4 address such as 127.0.0.1 or 169.254.169.254, a request URL using the IPv4-mapped IPv6 form ::ffff:7f00:1, ::ffff:a9fe:a9fe still routes through the...

Server-side Request Forgery (SSRF)

Overview org.webjars.npm:axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the shouldBypassProxy function. An attacker can access internal or metadata endpoints by crafting request URLs in...