Axios fixes NO_PROXY bypass via 127.0.0.0/8 loopback

2 min readPublished 24 Apr 2026Updated 24 Apr 2026Source: CVEProject (cvelistV5)

CVE-2026-42043 News JavaScript Web Security

TL;DR — Axios’s proxy-bypass logic failed to treat most of 127.0.0.0/8 as loopback, so attacker-influenced request URLs like http://127.0.0.2/... can bypass NO_PROXY protections.

What happened

Axios is a JavaScript HTTP client commonly used in Node.js services where outbound traffic is governed by HTTP_PROXY/HTTPS_PROXY and NO_PROXY.

CVE-2026-42043 is a patch-bypass style issue in Axios’s NO_PROXY enforcement. If an attacker can influence the target URL of an Axios request, they can use loopback addresses in 127.0.0.0/8 (except 127.0.0.1) to bypass the NO_PROXY protection and have the request routed through the configured proxy.

The GitHub advisory linked from the CVE frames this as an incomplete fix for a prior NO_PROXY bypass (CVE-2025-62718). The key detail is the loopback classification: treating only 127.0.0.1 as loopback is not sufficient because the full 127.0.0.0/8 range routes to localhost on major OSes.

This matters because “proxy bypass / proxy misrouting” bugs are a recurring SSRF enabler, and Axios is ubiquitous across Node.js stacks. A small logic gap can translate into a large blast radius across CI, container, and enterprise-proxy environments.

Who is impacted

Applications using axios in versions >= 1.0.0, < 1.15.1.
Applications using axios in versions < 0.31.1.
Highest-risk deployments are those that:
- run with HTTP_PROXY/HTTPS_PROXY set, and
- rely on NO_PROXY to keep loopback/internal destinations from being proxied, and
- accept user-influenced or tenant-influenced target URLs.

Package line	Affected	Patched (as stated in the record)
`axios` 1.x	`>= 1.0.0, < 1.15.1`	`1.15.1`
`axios` 0.x	`< 0.31.1`	`0.31.1`

What to do now

Follow vendor remediation guidance and apply a release that includes the fix.

"This vulnerability is fixed in 1.15.1 and 0.31.1."
Inventory where axios is used in server-side code paths that build request URLs from user-controlled inputs (directly or indirectly).
Treat NO_PROXY as defense-in-depth, not an application-layer authorization boundary. If a URL must never be reachable, enforce destination allowlists at the application layer and at egress controls (where operationally feasible).
If you suspect abuse, review proxy logs and outbound request telemetry for unexpected requests to 127.0.0.0/8 destinations (especially anything other than 127.0.0.1).

Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.