CVE-2026-42043 Overview
Axios, a widely-used promise-based HTTP client for browser and Node.js environments, contains a critical security vulnerability that allows attackers to bypass the NO_PROXY protection mechanism. By leveraging any address in the 127.0.0.0/8 range (excluding 127.0.0.1), an attacker who can influence the target URL of an Axios request can completely circumvent proxy restrictions intended to protect internal resources.
This vulnerability represents an incomplete fix for CVE-2025-62718, indicating that the original patch failed to account for the full loopback address range. The flaw has been addressed in versions 1.15.1 and 0.31.1.
Critical Impact
Attackers can bypass NO_PROXY protections to access internal services and potentially exfiltrate sensitive data or perform Server-Side Request Forgery (SSRF) attacks against localhost services.
Affected Products
- Axios versions prior to 1.15.1 (1.x branch)
- Axios versions prior to 0.31.1 (0.x branch)
- Applications using vulnerable Axios versions in Node.js environments
Discovery Timeline
- 2026-04-24 - CVE-2026-42043 published to NVD
- 2026-04-27 - Last updated in NVD database
Technical Details for CVE-2026-42043
Vulnerability Analysis
This vulnerability stems from an incomplete remediation of the earlier CVE-2025-62718. The NO_PROXY environment variable is commonly used to specify hosts that should bypass proxy settings, typically including 127.0.0.1 to prevent internal requests from being routed through external proxies. However, the loopback address range encompasses the entire 127.0.0.0/8 CIDR block (127.0.0.1 through 127.255.255.255), containing over 16 million valid addresses.
The vulnerable implementation only explicitly checked for 127.0.0.1, leaving the remainder of the loopback range unprotected. An attacker who can control or influence the target URL can specify alternate loopback addresses such as 127.0.0.2, 127.1.1.1, or 127.255.255.254 to bypass the NO_PROXY check while still reaching services bound to the localhost interface.
Root Cause
The root cause is classified under CWE-183 (Permissive List of Allowed Inputs). The NO_PROXY validation logic used an insufficient allowlist that only accounted for the canonical localhost address 127.0.0.1 rather than properly validating against the complete loopback network range. This permissive approach created a gap where semantically equivalent loopback addresses could bypass security controls.
Attack Vector
The vulnerability is exploitable remotely over the network without requiring authentication or user interaction. An attacker must be able to influence the target URL used in an Axios request, which is a common scenario in applications that accept user-controlled input for API endpoints, redirect URLs, or webhook configurations.
The attack flow involves:
- Identifying an application that uses Axios with NO_PROXY configurations to protect internal services
- Crafting a request that targets an alternate loopback address (e.g., http://127.0.0.2:8080/admin)
- The Axios client fails to match this address against the NO_PROXY rules since only 127.0.0.1 is explicitly listed
- The request bypasses proxy restrictions and directly accesses internal localhost services
For detailed technical information regarding the exploitation mechanism, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-42043
Indicators of Compromise
- Outbound HTTP requests targeting loopback addresses other than 127.0.0.1 (e.g., 127.0.0.2, 127.1.0.1, 127.255.255.254)
- Application logs showing requests to internal services via alternate localhost IP addresses
- Unexpected access to internal administrative interfaces or sensitive endpoints from externally-triggered requests
Detection Strategies
- Implement network monitoring to detect HTTP requests destined for addresses in the 127.0.0.0/8 range other than the standard 127.0.0.1
- Review application dependencies using npm audit or yarn audit to identify vulnerable Axios versions
- Configure web application firewalls to flag requests containing alternate loopback addresses in URL parameters
Monitoring Recommendations
- Enable verbose logging for proxy-related configuration to detect bypass attempts
- Monitor for SSRF attack patterns in application request logs, particularly those involving loopback addresses
- Implement Software Composition Analysis (SCA) tools to continuously monitor for vulnerable Axios versions in your codebase
How to Mitigate CVE-2026-42043
Immediate Actions Required
- Upgrade Axios to version 1.15.1 or later for applications using the 1.x branch
- Upgrade Axios to version 0.31.1 or later for applications still on the 0.x branch
- Audit applications for user-controllable URL inputs that are passed to Axios requests
- Review NO_PROXY configurations to understand which internal services may have been exposed
Patch Information
The vulnerability has been fixed in Axios versions 1.15.1 and 0.31.1. The patch properly validates the complete loopback address range (127.0.0.0/8) rather than only checking for 127.0.0.1. Update your dependencies immediately by modifying your package.json and running the appropriate package manager commands.
For complete patch details and security advisory information, see the GitHub Security Advisory GHSA-pmwg-cvhr-8vh7.
Workarounds
- Implement strict input validation on any user-controlled data used in constructing Axios request URLs
- Configure application-level URL allowlists to prevent requests to any loopback addresses
- Use network segmentation to limit the impact of potential SSRF attacks against localhost services
# Upgrade Axios to patched versions
npm update axios@latest
# Or specify exact patched version
npm install axios@1.15.1
# Verify installed version
npm list axios
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
