CVE Catalog

CVE-2026-44487

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.69%

48th percentile - higher than 48% of all known CVEs

Summary

A vulnerability in the Axios library for Node.js causes the Proxy-Authorization header to be forwarded to the destination server during proxy-to-direct redirect flows. This affects versions prior to 0.32.0 and 1.16.0.

Risk Assessment

The organization risks leaking proxy credentials to an unauthorized destination server, which could lead to unauthorized access to proxy resources or man-in-the-middle attacks.

Recommendation

Immediately update Axios to version 0.32.0 or 1.16.0 depending on the branch in use. If an update is not possible, temporarily disable redirect handling or use an alternative HTTP client.

Original NVD description (English source)

Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’s Node.js HTTP adapter may forward a Proxy-Authorization header to a redirected origin during specific proxy-to-direct redirect flows. This affects Node.js usage, where an initial HTTP request is sent through an authenticated HTTP proxy, redirects are followed, and the redirected URL is no longer proxied. Under affected redirect shapes, the final origin can receive the proxy credential that was intended only for the outbound proxy. This vulnerability is fixed in 0.32.0 and 1.16.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS