CVE-2026-42038: CVE-2026-42038: Server-Side Request Forgery via Incomplete Hostname Normalization…

1 / 2

CVE-2026-42038: CVE-2026-42038: Server-Side Request Forgery via Incomplete Hostname Normalization in Axios Proxy Logic

DEV Community·CVE Reports·28 days ago

#UqM9w3rz

#security #cve #cybersecurity #software #axios #loopback

Reading 0:00

15s threshold

CVE-2026-42038: Server-Side Request Forgery via Incomplete Hostname Normalization in Axios Proxy Logic Vulnerability ID: CVE-2026-42038 CVSS Score: 6.8 Published: 2026-05-05 Axios versions prior to 1.15.1 and 0.31.1 are vulnerable to Server-Side Request Forgery (SSRF) due to incomplete hostname normalization in the proxy bypass logic. The shouldBypassProxy() function utilizes literal string comparison rather than semantic IP evaluation, failing to equate loopback aliases such as 127.0.0.1 and localhost. This flaw allows internal loopback traffic to be inadvertently routed through external, potentially attacker-controlled proxies. TL;DR Axios fails to semantically match loopback addresses in its NO_PROXY exclusion list. This causes intended internal loopback traffic to be routed through external proxies, leading to SSRF.…

Continue reading — create a free account

Join HashtagPLUS to read full articles, follow hashtags, vote, and join the conversation.

Create free account Log in

Menu

CVE-2026-42038: CVE-2026-42038: Server-Side Request Forgery via Incomplete Hostname Normalization in Axios Proxy Logic