DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-42038: CVE-2026-42038: Server-Side Request Forgery via Incomplete Hostname Normalization in Axios Proxy Logic

#security #cve #cybersecurity

CVE-2026-42038: Server-Side Request Forgery via Incomplete Hostname Normalization in Axios Proxy Logic

Vulnerability ID: CVE-2026-42038
CVSS Score: 6.8
Published: 2026-05-05

Axios versions prior to 1.15.1 and 0.31.1 are vulnerable to Server-Side Request Forgery (SSRF) due to incomplete hostname normalization in the proxy bypass logic. The shouldBypassProxy() function utilizes literal string comparison rather than semantic IP evaluation, failing to equate loopback aliases such as 127.0.0.1 and localhost. This flaw allows internal loopback traffic to be inadvertently routed through external, potentially attacker-controlled proxies.

TL;DR

Axios fails to semantically match loopback addresses in its NO_PROXY exclusion list. This causes intended internal loopback traffic to be routed through external proxies, leading to SSRF.

Technical Details

  • CWE ID: CWE-918
  • Attack Vector: Network
  • CVSS Score: 6.8 (Medium)
  • EPSS Score: 0.00044
  • Impact: High Confidentiality
  • Exploit Status: Theoretical/None
  • KEV Status: Not Listed

Affected Systems

  • Node.js applications
  • Server-side microservices utilizing Axios for external HTTP requests
  • Systems with HTTP_PROXY and NO_PROXY environment configurations
  • Axios: < 0.31.1 (Fixed in: 0.31.1)
  • Axios: >= 1.0.0, < 1.15.1 (Fixed in: 1.15.1)

Code Analysis

Commit: 163da72

Loopback alias hardening in shouldBypassProxy

Mitigation Strategies

  • Upgrade Axios dependency to patched versions
  • Manually expand no_proxy environment variables with all loopback aliases
  • Explicitly set 'proxy: false' in internal Axios request configurations

Remediation Steps:

  1. Audit project dependencies and lockfiles to identify vulnerable Axios versions.
  2. Update package.json to require Axios >= 1.15.1 or >= 0.31.1.
  3. Execute 'npm install' or 'yarn install' to retrieve the patched packages.
  4. If patching is blocked, update environment variables to include 'localhost,127.0.0.1,::1' in the NO_PROXY string.
  5. Restart the Node.js application process.

References

Read the full report for CVE-2026-42038 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)