Description

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, he fix for no_proxy hostname normalization bypass is incomplete. When no_proxy=localhost is set, requests to 127.0.0.1 and [::1] still route through the proxy instead of bypassing it. The shouldBypassProxy() function does pure string matching — it does not resolve IP aliases or loopback equivalents. This vulnerability is fixed in 1.15.1 and 0.31.1.

INFO

Published Date :

2026-04-24T17:57:26.975Z

Last Modified :

2026-04-27T13:46:32.484Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-42038 vulnerability.

Vendors Products
Axios
  • Axios
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-42038.

URL Resource
https://github.com/axios/axios/security/advisories/GHSA-m7pr-hjqh-92cm cve-icon cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact