Axios: shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)
Summary
| CVE | CVE-2026-44492 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-11 17:16:33 UTC |
| Updated | 2026-07-10 12:16:58 UTC |
| Description | Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios does not normalise IPv4-mapped IPv6 addresses. When NO_PROXY lists an IPv4 address such as 127.0.0.1 or 169.254.169.254, a request URL using the IPv4-mapped IPv6 form (::ffff:7f00:1, ::ffff:a9fe:a9fe) still routes through the configured proxy. Node.js resolves these addresses to the underlying IPv4 host, so the request reaches the internal service via the proxy rather than being blocked. This vulnerability is fixed in 0.32.0 and 1.16.0. |
Risk And Classification
Primary CVSS: v3.1 8.6 HIGH from ADP
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS: 0.004420000 probability, percentile 0.351610000 (date 2026-06-18)
Problem Types: CWE-918 | CWE-289 | CWE-918 CWE-918: Server-Side Request Forgery (SSRF) | CWE-289 Authentication Bypass by Alternate Name
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | CVSS | 8.6 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
| 3.1 | [email protected] | Secondary | 8.6 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 8.6 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
| 3.1 | CNA | DECLARED | 8.6 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/security/cve/CVE-2026-44492 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:20889 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:33160 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:30651 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:36882 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:33005 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:36754 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:27044 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:34766 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/axios/axios/security/advisories/GHSA-pjwm-pj3p-43mv | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | github.com | Exploit, Mitigation, Vendor Advisory |
| access.redhat.com/errata/RHSA-2026:20938 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| access.redhat.com/errata/RHSA-2026:33163 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:29197 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:29082 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:27063 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:28964 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-44492.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:36108 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:36820 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:33173 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:36883 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:26234 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:33183 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:33155 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:30650 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:33574 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-06-11T17:00:56.761Z | Reported to Red Hat. |
| ADP | 2026-06-11T15:29:13.890Z | Made public. |
Solutions
ADP: RHSA-2026:30651: Red Hat Advanced Cluster Management for Kubernetes 2.13
ADP: RHSA-2026:36882: Red Hat Advanced Cluster Management for Kubernetes 2.14
ADP: RHSA-2026:20889: Red Hat Advanced Cluster Security for Kubernetes 4.10
ADP: RHSA-2026:20938: Red Hat Advanced Cluster Security for Kubernetes 4.9
ADP: RHSA-2026:36108: Red Hat Container Native Virtualization 4.13
ADP: RHSA-2026:33005: Red Hat Container Native Virtualization 4.14
ADP: RHSA-2026:36754: Red Hat Developer Hub 1.10
ADP: RHSA-2026:33574: Red Hat Developer Hub 1.9
ADP: RHSA-2026:26234: Red Hat Developer Hub 1.9
ADP: RHSA-2026:29197: Red Hat Discovery 2
ADP: RHSA-2026:28964: Red Hat OpenShift Container Platform 4.15
ADP: RHSA-2026:29082: Red Hat OpenShift Container Platform 4.16
ADP: RHSA-2026:34766: Red Hat OpenShift Container Platform 4.19
ADP: RHSA-2026:27063: Red Hat OpenShift Container Platform 4.20
ADP: RHSA-2026:27044: Red Hat OpenShift Container Platform 4.21
ADP: RHSA-2026:36820: Red Hat OpenShift Dev Spaces 3.29
ADP: RHSA-2026:33155: Red Hat OpenShift Service Mesh 2.6
ADP: RHSA-2026:33163: Red Hat OpenShift Service Mesh 3.1
ADP: RHSA-2026:33173: Red Hat OpenShift Service Mesh 3.2
ADP: RHSA-2026:33183: Red Hat OpenShift Service Mesh 3.3
ADP: RHSA-2026:33160: Red Hat OpenShift Service Mesh 3
ADP: RHSA-2026:30650: multicluster engine for Kubernetes 2.8
ADP: RHSA-2026:36883: multicluster engine for Kubernetes 2.9
Workarounds
ADP: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.