Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
axios Server-Side Request Forgery (SSRF) Vulnerability - CVE-2026-42038 - Vulnerability Database
axios

axios Server-Side Request Forgery (SSRF) Vulnerability - CVE-2026-42038

High
Reference: CVE-2026-42038
NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2026-42038
Title: axios Server-Side Request Forgery (SSRF) Vulnerability
Overview:

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1 he fix for no_proxy hostname normalization bypass is incomplete. When no_proxylocalhost is set requests to 127.0.0.1 and ::1 still route through the proxy instead of bypassing it. The shouldBypassProxy() function does pure string matching it does not resolve IP aliases or loopback equivalents. This vulnerability is fixed in 1.15.1 and 0.31.1.