Incomplete proxy bypass in Axios HTTP client by Axios
CVE-2026-42038

6.8MEDIUM

Key Information:

Vendor: AxiOS
Status: AxiOS
Vendor: CVE Published:; 24 April 2026

What is CVE-2026-42038?

Prior to versions 1.15.1 and 0.31.1, Axios, a widely-used promise-based HTTP client, has a flaw that improperly handles the no_proxy environment variable. Specifically, when no_proxy=localhost is configured, requests aimed at loopback addresses (127.0.0.1 and [::1]) fail to bypass the designated proxy as expected. The function responsible for determining whether to bypass the proxy does not account for IP aliases or loopback equivalents, which can lead to unintended traffic routing through the proxy. This vulnerability can expose sensitive data or alter network behavior unintentionally.

Affected Version(s)

axios >= 1.0.0, < 1.15.1 < 1.0.0, 1.15.1

axios < 0.31.1 < 0.31.1

References

https://github.com/axios/axios/security/advisories/GHSA-m...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2026
Vulnerability Reserved
Apr 23, 2026

CVE-2026-42038 Data

JSON

AxiOS

What is CVE-2026-42038?

Affected Version(s)

References

CVSS V3.1

Timeline