CVE-2026-44492
HighCVSS 8.6Exploitation Probability (EPSS)
Elevated risk56th percentile - higher than 56% of all known CVEs
Summary
Axios does not normalize IPv4-mapped IPv6 addresses, allowing bypass of the NO_PROXY list. Requests to internal services (e.g., 127.0.0.1, 169.254.169.254) in ::ffff: format may be routed through the proxy instead of being blocked.
Risk Assessment
An attacker could exploit this vulnerability to access internal network resources through the configured proxy, leading to data leakage or privilege escalation.
Recommendation
Immediately update Axios to version 0.32.0 or 1.16.0, which include the fix for normalizing IPv4-mapped IPv6 addresses.
Original NVD description (English source)
Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios does not normalise IPv4-mapped IPv6 addresses. When NO_PROXY lists an IPv4 address such as 127.0.0.1 or 169.254.169.254, a request URL using the IPv4-mapped IPv6 form (::ffff:7f00:1, ::ffff:a9fe:a9fe) still routes through the configured proxy. Node.js resolves these addresses to the underlying IPv4 host, so the request reaches the internal service via the proxy rather than being blocked. This vulnerability is fixed in 0.32.0 and 1.16.0.

