ZeroPath at Black Hat USA 2026

Axios CVE-2026-44492: IPv4-Mapped IPv6 NO_PROXY Bypass Enables SSRF with PoC and Patch Analysis

A brief summary of CVE-2026-44492, a high severity SSRF vulnerability in Axios that allows attackers to bypass NO_PROXY exclusions using IPv4-mapped IPv6 addresses. Includes proof of concept details, patch analysis, and detection methods.

CVE Analysis

12 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-11

Axios CVE-2026-44492: IPv4-Mapped IPv6 NO_PROXY Bypass Enables SSRF with PoC and Patch Analysis
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

An incomplete patch in Axios's proxy bypass logic means that any application relying on NO_PROXY to protect internal services can be tricked into routing requests through a configured proxy using IPv4-mapped IPv6 address notation, turning a defensive configuration into an attack vector. With over 100 million weekly npm downloads and 109,000 GitHub stars, Axios is one of the most widely deployed JavaScript HTTP clients in existence, and this SSRF bypass (CVSS 8.6) puts cloud metadata endpoints, loopback services, and internal APIs at risk across a massive install base.

This vulnerability, tracked as CVE-2026-44492, is particularly notable because it is an incomplete fix for the earlier CVE-2025-62718. The shouldBypassProxy function introduced in v1.15.0 to address that prior CVE failed to account for the full surface area of IPv6 address representation, leaving a clean bypass path that is trivial to exploit.

Technical Information

Root Cause: Incomplete Address Normalization in shouldBypassProxy

CVE-2026-44492 is classified under CWE-918 (Server-Side Request Forgery). The vulnerability resides in the shouldBypassProxy function located in lib/helpers/shouldBypassProxy.js, which was introduced in Axios v1.15.0 as the remediation for CVE-2025-62718.

The function checks a request's hostname against a hardcoded loopback set (localhost, 127.0.0.1, ::1) and the entries listed in the NO_PROXY environment variable. The critical flaw is in the normalizeNoProxyHost function, which strips square brackets and trailing dots but does not canonicalize the ::ffff: IPv4-mapped IPv6 prefix into its equivalent IPv4 form.

Here is the vulnerable normalization logic from v1.15.x (simplified):

// VULNERABLE — v1.15.x normalizeNoProxyHost (simplified) const normalizeNoProxyHost = (hostname) => { if (!hostname) return hostname; if (hostname[0] === '[' && hostname.at(-1) === ']') hostname = hostname.slice(1, -1); hostname = hostname.replace(/\.+$/, '').toLowerCase(); return hostname; };

After bracket stripping, an IPv4-mapped IPv6 address like [::ffff:7f00:1] becomes the string ::ffff:7f00:1. This is semantically equivalent to 127.0.0.1, but the string comparison against a NO_PROXY entry of 127.0.0.1 fails because the two strings are not equal. The function also does not find ::ffff:7f00:1 in the hardcoded LOOPBACK_ADDRESSES set. As a result, shouldBypassProxy returns false, and the request is routed through the configured proxy.

How Node.js URL Parsing Creates the Bypass

The exploitation depends on a subtle interaction between the WHATWG URL parser built into Node.js and the string comparison logic in shouldBypassProxy. When Node.js processes a URL such as http://[::ffff:127.0.0.1]/, the WHATWG URL parser silently normalizes the IPv4 notation inside the brackets to compressed hexadecimal form, producing the hostname ::ffff:7f00:1. Both the dotted decimal variant (::ffff:127.0.0.1) and the hex compressed variant (::ffff:7f00:1) represent the same underlying IPv4 address, but neither matches the string 127.0.0.1 in NO_PROXY.

Crucially, at the network layer, Node.js resolves ::ffff:7f00:1 back to 127.0.0.1. The advisory confirms this: net.connect({ host: '::ffff:7f00:1', port: 80 }) reaches a service bound to 127.0.0.1:80. So the request successfully reaches the internal service, but it does so via the proxy rather than directly, because the proxy bypass check was defeated.

The advisory also notes that the proxy-from-env package, which is called before shouldBypassProxy, has the same normalization gap. Neither layer catches the bypass.

Attack Flow

An attacker exploiting CVE-2026-44492 would follow these steps:

  1. Identify a target application that uses Axios with proxy configuration and has NO_PROXY set to exclude internal addresses (e.g., NO_PROXY=127.0.0.1,169.254.169.254).

  2. Craft a request URL using IPv4-mapped IPv6 notation for the target internal service. For example, to reach the AWS Instance Metadata Service at 169.254.169.254, the attacker would use http://[::ffff:a9fe:a9fe]/latest/meta-data/.

  3. Submit the crafted URL to the application in a context where it will be passed to Axios as a request target. This could be through any user-controllable input that influences outbound HTTP requests.

  4. The shouldBypassProxy function fails to match the IPv4-mapped IPv6 hostname against the NO_PROXY entry, returning false.

  5. The request is routed through the configured proxy, which forwards it to the internal service. Node.js resolves the IPv4-mapped IPv6 address to the underlying IPv4 address at the network layer.

  6. The attacker receives the response from the internal service (e.g., cloud credentials from the metadata endpoint), achieving SSRF.

The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N reflects this: network accessible, low complexity, no privileges required, no user interaction needed, with scope change across trust boundaries and high confidentiality impact.

Cloud Metadata Exfiltration Scenario

The most impactful exploitation scenario targets cloud metadata services. If an application running on AWS has NO_PROXY=169.254.169.254 to prevent proxy-mediated access to the Instance Metadata Service, an attacker can bypass this protection with http://[::ffff:a9fe:a9fe]/latest/meta-data/. The hex value a9fe:a9fe is the IPv4-mapped IPv6 representation of 169.254.169.254. A successful bypass enables exfiltration of IAM role credentials, potentially granting the attacker access to the broader cloud environment.

Proof of Concept

A public proof of concept is available directly in the official Axios GitHub security advisory GHSA-pjwm-pj3p-43mv, published on May 29, 2026. The reporter is HamdaanAliQuatil.

The PoC demonstrates the bypass with the following JavaScript code, assuming NO_PROXY=127.0.0.1,localhost,::1 and HTTP_PROXY=http://attacker:8080:

// NO_PROXY=127.0.0.1,localhost,::1 HTTP_PROXY=http://attacker:8080 import shouldBypassProxy from 'axios/lib/helpers/shouldBypassProxy.js'; // All three should return true (bypass proxy). Only the first two do. console.log(shouldBypassProxy('http://127.0.0.1/')); // true [OK] console.log(shouldBypassProxy('http://[::1]/')); // true [OK] console.log(shouldBypassProxy('http://[::ffff:127.0.0.1]/')); // false <- bypass console.log(shouldBypassProxy('http://[::ffff:7f00:1]/')); // false <- bypass

The last two calls return false (meaning "do not bypass, use the proxy") when they should return true. The WHATWG URL parser canonicalizes http://[::ffff:127.0.0.1]/ to hostname ::ffff:7f00:1, which is not in the LOOPBACK_ADDRESSES set (['localhost', '127.0.0.1', '::1']) and does not match the 127.0.0.1 entry in NO_PROXY.

The advisory provides a summary table of the bypass behavior:

Request URLshouldBypassProxy ResultBehavior
http://127.0.0.1/trueCorrectly bypasses proxy
http://[::1]/trueCorrectly bypasses proxy
http://[::ffff:127.0.0.1]/falseBypass fails, proxy is used
http://[::ffff:7f00:1]/falseBypass fails, proxy is used

For the cloud metadata SSRF scenario, a request to http://[::ffff:a9fe:a9fe]/latest/meta-data/ targets 169.254.169.254 and bypasses a NO_PROXY exclusion for that address, enabling credential exfiltration in cloud environments.

Patch Information

The Axios maintainers addressed CVE-2026-44492 in version 1.16.0 (for the 1.x line, published May 2, 2026) and version 0.32.0 (for the legacy 0.x line). Both releases also fix the companion vulnerability CVE-2026-44494 (MITM via prototype pollution in config.proxy), making the upgrade a two for one remediation.

The core fix introduces a new unmapIPv4MappedIPv6() function that canonicalizes IPv4-mapped IPv6 addresses into plain IPv4 dotted decimal form before any NO_PROXY comparison is performed. The function uses two regular expressions to catch both notational forms:

// PATCHED — v1.16.0 const IPV4_MAPPED_DOTTED_RE = /^(?:::|(?:0{1,4}:){1,4}:|(?:0{1,4}:){5})ffff:(\d+\.\d+\.\d+\.\d+)$/i; const IPV4_MAPPED_HEX_RE = /^(?:::|(?:0{1,4}:){1,4}:|(?:0{1,4}:){5})ffff:([0-9a-f]{1,4}):([0-9a-f]{1,4})$/i; const unmapIPv4MappedIPv6 = (host) => { if (typeof host !== 'string' || host.indexOf(':') === -1) return host; const dotted = host.match(IPV4_MAPPED_DOTTED_RE); if (dotted) return dotted[1]; const hex = host.match(IPV4_MAPPED_HEX_RE); if (hex) { const high = parseInt(hex[1], 16); const low = parseInt(hex[2], 16); return `${high >> 8}.${high & 0xff}.${low >> 8}.${low & 0xff}`; } return host; };

For dotted decimal mapped addresses (e.g., ::ffff:127.0.0.1), the first regex captures the trailing IPv4 literal and returns it directly. For hex compressed addresses (e.g., ::ffff:7f00:1, the form Node.js's URL parser canonicalizes to), the second regex captures the two 16 bit hex groups, and the function reconstitutes the IPv4 address via bitwise arithmetic.

The updated normalizeNoProxyHost now pipes its output through this new function:

const normalizeNoProxyHost = (hostname) => { if (!hostname) return hostname; if (hostname.charAt(0) === '[' && hostname.charAt(hostname.length - 1) === ']') hostname = hostname.slice(1, -1); return unmapIPv4MappedIPv6(hostname.replace(/\.+$/, '')); };

Critically, normalizeNoProxyHost is applied to both the request hostname and each NO_PROXY entry. This means even if the NO_PROXY list itself contains IPv4-mapped IPv6 notation, the comparison still works correctly because both sides are canonicalized to IPv4.

An additional hardening detail in v1.16.0 is an expanded loopback detection system. The old hardcoded Set(['localhost', '127.0.0.1', '::1']) was replaced with proper isIPv4Loopback (checking the full 127.0.0.0/8 range) and isIPv6Loopback functions that also recognize IPv4-mapped IPv6 loopback forms like ::ffff:7f00:1.

The net effect is that a request to http://[::ffff:a9fe:a9fe]/latest/meta-data/ now correctly matches a NO_PROXY entry of 169.254.169.254, causing shouldBypassProxy to return true and preventing the request from being routed through the proxy.

Upgrade commands:

npm install [email protected] # for 1.x users npm install [email protected] # for 0.x users

Given the North Korean supply chain attack on March 31, 2026, which published malicious versions 1.14.1 and 0.30.4 containing RATs, organizations should verify that their Axios installations come from legitimate, untampered npm sources before and after upgrading.

Detection Methods

Vulnerability Scanning with Tenable Nessus

Tenable has published Nessus Plugin ID 318801 (file name: nodejs_module_axios_1_16_0.nasl), a local check that identifies vulnerable Axios installations on Windows, macOS, and Unix hosts. The plugin flags any Axios version prior to 0.32.0 or any 1.x version prior to 1.16.0 by inspecting the self-reported version number. It is classified under the "Misc." family and is associated with IAVA 2026-A-0534, meaning organizations following DISA STIG compliance should treat this as a tracked remediation item. The plugin requires that installed_sw/Node.js and Host/nodejs/modules/enumerated KB items are present, so ensure your Nessus scans are configured to enumerate Node.js modules for this check to fire.

Dependency and Container Image Scanning

Because this is a library level vulnerability in an npm package, Software Composition Analysis (SCA) tools are the most natural detection vector:

  • GitLab Dependency Scanning identifies this CVE through its Advisory Database (GLAD) and will flag any project pulling in a vulnerable Axios version.
  • Docker Scout tracks container images that include affected Axios versions, helping teams find exposure in their container registries.
  • Any SCA tool consuming the GitHub Advisory Database (GHSA-pjwm-pj3p-43mv) or the OSV feed will similarly detect vulnerable dependencies.

Running npm audit or yarn audit in projects that depend on Axios will also surface this advisory, making CI/CD pipeline integration a low effort detection option.

Network and Log Based Detection Indicators

While no published Snort, Suricata, or Sigma rules exist specifically for CVE-2026-44492 at this time, the technical details provide clear patterns that security teams can monitor for. The core exploit relies on IPv4-mapped IPv6 addresses in request URLs. Specific address formats to watch for include:

  • ::ffff:7f00:1 (the IPv4-mapped IPv6 representation of 127.0.0.1)
  • ::ffff:a9fe:a9fe (the IPv4-mapped IPv6 representation of 169.254.169.254)
  • More broadly, any address matching the ::ffff: prefix followed by hexadecimal octets targeting internal RFC 1918 ranges or link local addresses

In proxy server logs, look for HTTP requests where the Host header or target URL contains bracketed IPv6 addresses with the ::ffff: prefix (e.g., [::ffff:7f00:1] or [::ffff:a9fe:a9fe]), especially when your proxy should not be forwarding traffic to internal destinations. In application level logging, if your Node.js services log outbound request URLs, searching for the ::ffff: pattern in those logs can reveal bypass attempts. In network monitoring, any outbound traffic through a proxy that ultimately resolves to loopback or metadata IP ranges is inherently suspicious and warrants investigation.

Extending Detection from the Predecessor CVE

CVE-2026-44492 is explicitly an incomplete fix for the earlier CVE-2025-62718 (GHSA-3p68-rc4w-qgx5), which addressed trailing dot hostname bypasses and bare IPv6 literal bypasses. If you have existing detection logic for CVE-2025-62718 that monitors for unusual loopback representations in proxy traffic, extending it to also cover the ::ffff: IPv4-mapped IPv6 prefix would close this gap.

Affected Systems and Versions

BranchAffected VersionsFixed Version
1.x>= 1.0.0, < 1.16.01.16.0
0.x<= 0.31.10.32.0

The shouldBypassProxy function was introduced in v1.15.0, meaning versions of the 1.x branch prior to 1.15.0 rely on a different proxy bypass mechanism. However, the advisory states that versions >= 1.0.0 are affected on the 1.x line, indicating that the proxy-from-env package used in earlier versions also has the same normalization gap.

Any application or service that uses Axios with proxy configuration (HTTP_PROXY/HTTPS_PROXY environment variables or explicit proxy settings) and relies on NO_PROXY to exclude internal IPv4 addresses is vulnerable. The risk is highest in cloud environments where NO_PROXY is used to protect metadata service endpoints.

Vendor Security History

Axios has experienced a concentrated cluster of security issues in 2026, raising questions about the maturity of its security review process:

CVESeverityTypeFixed Version
CVE-2025-62718HighNO_PROXY bypass SSRF (hostname aliases)1.15.0
CVE-2026-40175Critical (10.0)SSRF via protocol relative URLs1.15.0, 0.3.1
CVE-2026-44492High (8.6)NO_PROXY bypass SSRF (IPv4-mapped IPv6)1.16.0, 0.32.0
CVE-2026-44494HighMITM via prototype pollution in config.proxy1.16.0, 0.32.0

The pattern of repeated proxy bypass vulnerabilities, particularly the iterative patch failure from CVE-2025-62718 to CVE-2026-44492, indicates that the shouldBypassProxy function operates as a single gatekeeper for all NO_PROXY enforcement, and any bypass silently defeats the entire protection mechanism. A further bypass was reported as GHSA-pmwg-cvhr-8vh7 on April 24, 2026, before the comprehensive fix in v1.16.0.

An important contextual note: the North Korea-nexus supply chain attack on March 31, 2026, which compromised the npm maintainer account and published malicious versions containing RATs, is a separate event but compounds the risk profile. Organizations that updated Axios after the supply chain attack may have inadvertently installed a version that is still vulnerable to this SSRF bypass, while those who avoided updating due to supply chain concerns remain exposed to both vectors. Huntress observed over a hundred affected devices from the supply chain compromise alone.

One notable tension in this vulnerability cluster is between CVSS severity and real world exploitability. CVE-2026-40175 scored 10.0 Critical but was assessed as not practically exploitable, while CVE-2026-44492 at 8.6 High is far more straightforward to exploit with a public PoC. Security teams should evaluate exploitability independently of CVSS scores when prioritizing remediation.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization