Axios CVE-2026-42043: NO_PROXY Bypass Vulnerability
The National Vulnerability Database (NVD) has detailed CVE-2026-42043, a high-severity vulnerability (CVSS 7.2) affecting Axios, a widely used promise-based HTTP client for browsers and Node.js. This flaw allows an attacker to bypass NO_PROXY protection by manipulating the target URL of an Axios request, specifically by using any address within the 127.0.0.0/8 range, excluding 127.0.0.1.
This vulnerability is a critical incomplete fix for CVE-2025-62718, indicating a persistent blind spot in Axios’s security posture regarding proxy bypasses. Attackers can leverage this to achieve Server-Side Request Forgery (SSRF) or other internal network access, circumventing intended network segmentation and security controls.
Defenders must prioritize patching Axios to versions 1.15.1 or 0.31.1, where the issue is resolved. Ignoring this could expose internal services to external manipulation, leading to unauthorized access or data exfiltration. It’s not just about what’s directly exposed, but what an attacker can pivot to once they’re past your proxy controls.
What This Means For You
- If your applications or services rely on Axios, you need to verify your version immediately. This isn't theoretical; an attacker can exploit this to bypass critical NO_PROXY settings and potentially access internal resources. Audit your Axios implementations and ensure they are updated to at least 1.15.1 or 0.31.1. Do not assume your proxy rules alone are sufficient.
Related ATT&CK Techniques
🛡️ Detection Rules
4 rules · 6 SIEM formats4 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
C2 Beacon Detection — HTTP to Suspicious Domain
title: C2 Beacon Detection — HTTP to Suspicious Domain
id: scw-2026-04-24-1
status: experimental
level: medium
description: |
Detects high-frequency HTTP POST beaconing to target.local, which may indicate compromised endpoints calling back after the CVE-2026-42043 breach.
author: SCW Feed Engine (auto-generated)
date: 2026-04-24
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-42043/
tags:
- attack.command_and_control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
dst_domain|endswith:
- 'target.local'
cs-method: 'POST'
condition: selection | count() by src_ip > 50
falsepositives:
- Legitimate activity from CVE-2026-42043
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-42043 | Auth Bypass | Axios versions prior to 1.15.1 |
| CVE-2026-42043 | Auth Bypass | Axios versions prior to 0.31.1 |
| CVE-2026-42043 | Auth Bypass | Bypass of NO_PROXY protection using 127.0.0.0/8 range (excluding 127.0.0.1) |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 24, 2026 at 21:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
Dgraph CVE-2026-41492: Unauthenticated Admin Token Exposure Via /debug/vars
CVE-2026-41492 — Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, Dgraphl exposes the process command line through the unauthenticated /debug/vars endpoint on...
CVE-2026-41421: SiYuan Desktop RCE via HTML Notification Abuse
CVE-2026-41421 — SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, SiYuan desktop renders notification messages as raw HTML inside an Electron renderer....
4ga Boards Path Traversal Vulnerability Exposes Local Files (CVE-2026-41419)
CVE-2026-41419 — 4ga Boards is a boards system for realtime project management. Prior to 3.3.5, a path traversal vulnerability allows an authenticated user with board...