CVE Catalog

CVE-2026-44486

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.55%

42th percentile - higher than 42% of all known CVEs

Summary

A vulnerability in the Axios library for Node.js leaks proxy credentials to a redirect target. When a request is sent through an authenticated proxy, the Proxy-Authorization header may persist in the redirected request and be sent to the new destination.

Risk Assessment

The organization risks exposing proxy credentials (e.g., username and password) to unauthorized parties, potentially leading to unauthorized access or further attacks.

Recommendation

Immediately update Axios to version 0.32.0 or 1.16.0 (depending on the branch used) in Node.js environments with automatic redirects and authenticated proxy configuration.

Original NVD description (English source)

Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’ Node.js HTTP adapter can leak proxy credentials to a redirect target in affected versions. When a request is sent through an authenticated proxy, Axios may add a Proxy-Authorization header. If Axios then follows a redirect and the redirected request is no longer sent through that proxy, the stale Proxy-Authorization header can remain on the redirected request and be sent to the redirect target. This affects Node.js's use of Axios with automatic redirects enabled and an authenticated proxy configuration. Browser adapters are not affected. This vulnerability is fixed in 0.32.0 and 1.16.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS