CVE-2026-44492: 
JavaScript Analisi e mitigazione delle vulnerabilità

CVE-2026-44492 is a Server-Side Request Forgery (SSRF) vulnerability in the axios npm package caused by an incomplete fix for CVE-2025-62718. The shouldBypassProxy helper introduced in axios v1.15.0 fails to normalize IPv4-mapped IPv6 addresses, allowing attackers to bypass NO_PROXY exclusion rules by using addresses such as ::ffff:7f00:1 (equivalent to 127.0.0.1) or ::ffff:a9fe:a9fe (equivalent to 169.254.169.254). Affected versions are axios >= 1.0.0, < 1.16.0 and <= 0.31.1; patched versions are 1.16.0 and 0.32.0. The vulnerability was published on May 29, 2026, and carries a CVSS v3.1 base score of 8.6 (High) (GitHub Advisory, Axios Advisory).

The root cause is classified as CWE-918 (Server-Side Request Forgery). The normalizeNoProxyHost function in lib/helpers/shouldBypassProxy.js strips brackets and trailing dots from hostnames but does not convert IPv4-mapped IPv6 addresses (e.g., ::ffff:7f00:1) to their canonical IPv4 form before comparing against NO_PROXY entries. The WHATWG URL parser canonicalizes http://[::ffff:127.0.0.1]/ to the hostname [::ffff:7f00:1]; after bracket-stripping, this string does not match 127.0.0.1 in NO_PROXY and is absent from LOOPBACK_ADDRESSES, so shouldBypassProxy returns false and routes the request through the configured proxy. Critically, proxy-from-env (called before shouldBypassProxy) has the same gap, meaning neither layer catches the bypass. Node.js itself resolves ::ffff:7f00:1 to 127.0.0.1, so the request ultimately reaches the internal service via the proxy (GitHub Advisory, Axios Advisory).

Any application that configures NO_PROXY to exclude internal or metadata endpoints (e.g., 127.0.0.1, 169.254.169.254) and uses an HTTP/HTTPS proxy is vulnerable to having those exclusions bypassed. The primary impact is high confidentiality loss — in cloud environments, an attacker who controls the request URL can craft a request to http://[::ffff:a9fe:a9fe]/latest/meta-data/ to reach the AWS Instance Metadata Service (IMDS) or equivalent, potentially exfiltrating cloud credentials and enabling lateral movement within the cloud environment. Integrity and availability are not directly impacted by this vulnerability (GitHub Advisory).

Upgrade axios to version 1.16.0 (for the v1.x branch) or 0.32.0 (for the v0.x branch), which canonicalize IPv4-mapped IPv6 addresses in normalizeNoProxyHost before any NO_PROXY comparison. As a temporary workaround, add IPv4-mapped IPv6 equivalents of protected addresses directly to NO_PROXY (e.g., NO_PROXY=127.0.0.1,::1,::ffff:7f00:1,169.254.169.254,::ffff:a9fe:a9fe), though this is error-prone and upgrading is strongly preferred. Additionally, restrict which URLs can be supplied as user-controlled input to axios at the application layer to reduce the attack surface (GitHub Advisory, Axios Advisory).

The advisory was published by axios maintainer jasonsaayman on May 29, 2026, and credited reporter HamdaanAliQuatil for discovery. Security news outlet SecurityOnline.info covered the axios proxy vulnerabilities, and the issue was tracked by Chainguard and Wolfi package maintainers who issued their own advisories. The vulnerability was also picked up by OSV.dev and Tenable's Nessus scanner within days of disclosure, reflecting rapid community response to the supply chain risk (SecurityOnline, Axios Advisory).