CVE-2026-42038 — Vulnetix

CVE-2026-42038 PUBLISHED CVSS 6.800000190734863 MEDIUM

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, he fix for no_proxy hostname normalization bypass is incomplete. When no_proxy=localhost is set, requests to 127.0.0.1 and [::1] still route through the proxy instead of bypassing it. The shouldBypassProxy() function does pure string matching — it does not resolve IP aliases or loopback equivalents. This vulnerability is fixed in 1.15.1 and 0.31.1.

EPSS 0.06% · 19.1th percentile

Risk Scores

CVSS v3.1

6.800000190734863

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

EPSS Score

0.06%

19.1th percentile

Affected Products

Vendor	Product	Versions
axios	axios	>= 1.0.0, < 1.15.1, < 0.31.1

Timeline

Apr 24, 2026 CVE Published
Apr 25, 2026 EPSS Score
May 6, 2026 Security Advisory
May 18, 2026 EPSS Score
May 19, 2026 EPSS Score
May 20, 2026 EPSS Score
May 21, 2026 EPSS Score
May 22, 2026 EPSS Score
May 23, 2026 EPSS Score
May 24, 2026 EPSS Score
May 25, 2026 EPSS Score
May 26, 2026 EPSS Score

References

https://github.com/axios/axios/security/advisories/GHSA-m7pr-hjqh-92cm url

Open in Interactive Console →