Permissive List of Allowed Inputs in axios

CVE-2026-42043

axios
org.webjars.npm:axios
org.webjars.npm:github-com-axios-axios
org.webjars.npm:github-com-mzabriskie-axios

High

10/10

Summary

Axios is a promise based HTTP client for the browser and Node.js. In versions prior to 0.31.1 and 1.0.0 prior to 1.15.1 , an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range (other than 127.0.0.1) to completely bypass the NO_PROXY protection. This vulnerability is due to an incomplete for CVE-2025-62718, This vulnerability is fixed in 1.15.1 and 0.31.1.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: CHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-183 - Permissive List of Allowed Inputs

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.

References

Advisory

Advisory Timeline

Published Apr 24, 2026

Permissive List of Allowed Inputs in axios

CVE-2026-42043

Summary

CWE-183 - Permissive List of Allowed Inputs

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS