PatchSiren cyber security CVE debrief
CVE-2026-44492 axios CVE debrief
CVE-2026-44492 is a HIGH severity vulnerability in Axios, a promise-based HTTP client for the browser and Node.js. The vulnerability occurs because Axios does not normalize IPv4-mapped IPv6 addresses. This can cause issues when the NO_PROXY environment variable lists an IPv4 address, such as 127.0.0.1 or 169.254.169.254. In such cases, a request URL using the IPv4-mapped IPv6 form (::ffff:7f00:1, ::ffff:a9fe:a9fe) may still route through the configured proxy, rather than being blocked. The vulnerability is fixed in Axios versions 0.32.0 and 1.16.0.
- Vendor
- axios
- Product
- Unknown
- CVSS
- HIGH 8.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-13
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-13
Who should care
Users of Axios, especially those using versions prior to 0.32.0 or 1.16.0, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
Axios does not normalize IPv4-mapped IPv6 addresses, which can cause requests to bypass proxy settings. This vulnerability has a CVSS score of 8.6 and is considered HIGH severity.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to Axios version 0.32.0 or 1.16.0 or later.
- Review and update NO_PROXY environment variable settings to ensure they are not bypassed by IPv4-mapped IPv6 addresses.
Evidence notes
Evidence for this CVE comes from the official NVD database and Axios security advisories.
Official resources
-
CVE-2026-44492 CVE record
CVE.org
-
CVE-2026-44492 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Mitigation, Vendor Advisory
CVE-2026-44492 was published on 2026-06-11T17:16:33.167Z and modified on 2026-06-13T03:16:20.770Z.