HTTP Client Vulnerability in Axios Affects Browsers and Node.js
CVE-2026-42043

7.2HIGH

Key Information:

Vendor: AxiOS
Status: AxiOS
Vendor: CVE Published:; 24 April 2026

What is CVE-2026-42043?

A significant vulnerability in Axios, a widely used promise-based HTTP client for both browser and Node.js environments, allows attackers to exploit target URLs. By influencing the target URL of an Axios request, an attacker can bypass NO_PROXY protections, utilizing any address within the 127.0.0.0/8 range, excluding 127.0.0.1. This issue stems from incomplete protection measures related to a prior vulnerability, specifically CVE-2025-62718. The flaw has been remedied in Axios versions 1.15.1 and 0.31.1. Users are advised to upgrade to the latest version to mitigate potential risks.

Affected Version(s)

axios >= 1.0.0, < 1.15.1 < 1.0.0, 1.15.1

axios < 0.31.1 < 0.31.1

References

https://github.com/axios/axios/security/advisories/GHSA-p...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2026
Vulnerability Reserved
Apr 23, 2026

CVE-2026-42043 Data

JSON

AxiOS

What is CVE-2026-42043?

Affected Version(s)

References

CVSS V3.1

Timeline