CVE-2026-42038
Published: 24 April 2026
Summary
CVE-2026-42038 is a medium-severity SSRF (CWE-918) vulnerability in Axios Axios. Its CVSS base score is 6.8 (Medium).
Operationally, ranked at the 13.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the flaw in Axios' shouldBypassProxy() function by requiring timely patching to versions 1.15.1 or 0.31.1 that properly handle loopback IP equivalents.
Identifies deployments using vulnerable Axios versions prior to 1.15.1 or 0.31.1 through vulnerability scanning, enabling remediation.
Mitigates SSRF risk by validating URLs input to Axios, preventing unintended proxy routing of loopback requests like 127.0.0.1 or [::1].
MITRE ATT&CK Enterprise TechniquesAI
Insufficient information to map techniques.NVD Description
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, he fix for no_proxy hostname normalization bypass is incomplete. When no_proxy=localhost is set, requests to 127.0.0.1 and [::1] still route through the proxy…
more
instead of bypassing it. The shouldBypassProxy() function does pure string matching — it does not resolve IP aliases or loopback equivalents. This vulnerability is fixed in 1.15.1 and 0.31.1.
Deeper analysisAI
CVE-2026-42038 affects Axios, a promise-based HTTP client used in browsers and Node.js environments. In versions prior to 1.15.1 and 0.31.1, an incomplete fix for no_proxy hostname normalization allows a bypass. Specifically, when no_proxy is set to "localhost," requests to 127.0.0.1 and [::1] are not bypassed and continue routing through the proxy. This stems from the shouldBypassProxy() function performing pure string matching without resolving IP aliases or loopback equivalents. The vulnerability carries a CVSS v3.1 base score of 6.8 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N) and is associated with CWE-918 (Server-Side Request Forgery).
Attackers can exploit this vulnerability remotely with no privileges or user interaction required, though it demands high attack complexity and a changed scope. Exploitation is feasible in scenarios where an application uses Axios with a no_proxy setting for localhost but issues requests to loopback addresses like 127.0.0.1 or [::1]. A malicious actor controlling or monitoring the proxy can intercept these requests, potentially accessing sensitive data in transit and achieving high confidentiality impact without affecting integrity or availability.
The GitHub security advisory (GHSA-m7pr-hjqh-92cm) confirms the issue and states that it is fixed in Axios versions 1.15.1 and 0.31.1. Practitioners should upgrade to these patched releases to mitigate the vulnerability by ensuring proper proxy bypass logic for loopback equivalents.
Details
- CWE(s)