DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-42043: CVE-2026-42043: Axios NO_PROXY Protection Bypass via RFC 1122 Loopback Subnet

#security #cve #cybersecurity

CVE-2026-42043: Axios NO_PROXY Protection Bypass via RFC 1122 Loopback Subnet

Vulnerability ID: CVE-2026-42043
CVSS Score: 7.2
Published: 2026-05-05

Axios versions prior to 1.15.1 and 0.31.1 contain a security control bypass vulnerability in the NO_PROXY implementation. The issue originates from an incomplete fix for a previous vulnerability (CVE-2025-62718). By targeting non-standard loopback IP addresses within the 127.0.0.0/8 subnet, an attacker can bypass internal traffic protections and force Axios to route requests through an external proxy. This results in Server-Side Request Forgery (SSRF) and Confused Deputy attacks.

TL;DR

Axios fails to validate the full 127.0.0.0/8 loopback subnet, allowing attackers to supply non-standard local IPs (e.g., 127.0.0.2) to bypass NO_PROXY rules and maliciously route internal traffic through external proxies.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-183, CWE-441, CWE-918
  • Attack Vector: Network
  • CVSS v3.1: 7.2
  • EPSS Score: 0.00044
  • Impact: SSRF / Confused Deputy
  • Exploit Status: Proof of Concept
  • KEV Status: Not Listed

Affected Systems

  • Axios (< 0.31.1)
  • Axios (>= 1.0.0, < 1.15.1)
  • Node.js Applications utilizing HTTP_PROXY with user-controlled Axios requests
  • Axios: < 0.31.1 (Fixed in: 0.31.1)
  • Axios: >= 1.0.0, < 1.15.1 (Fixed in: 1.15.1)

Code Analysis

Commit: cb7b9ad

Axios Threat Model and Security Fix

Exploit Details

  • Technical Analysis: Logic flaw proof-of-concept allowing NO_PROXY bypass using 127.0.0.2

Mitigation Strategies

  • Upgrade Axios library to a version containing the official patch.
  • Explicitly configure NO_PROXY to encompass the entire 127.0.0.0/8 block.
  • Disable Axios proxy configurations programmatically using { proxy: false } for sensitive internal requests.
  • Implement strong input validation to reject explicit IPv4 addresses in user-supplied URLs.

Remediation Steps:

  1. Identify all Node.js projects utilizing Axios via npm audit or package-lock analysis.
  2. Update package.json dependencies to require Axios ^1.15.1 or ^0.31.1.
  3. Run npm install to apply the updated versions.
  4. Audit environment variables to ensure NO_PROXY correctly lists internal hostnames.

References

Read the full report for CVE-2026-42043 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)