Server-side Request Forgery (SSRF) Affecting org.webjars.npm:axios package, versions [,1.16.0)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Server-side Request Forgery (SSRF) vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-JAVA-ORGWEBJARSNPM-17111063
- published1 Jun 2026
- disclosed29 May 2026
- creditHamdaanAliQuatil
Introduced: 29 May 2026
NewCVE-2026-44492 (opens in a new tab)How to fix?
Upgrade org.webjars.npm:axios to version 1.16.0 or higher.
Overview
org.webjars.npm:axios is a promise-based HTTP client for the browser and Node.js.
Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the shouldBypassProxy function. An attacker can access internal or metadata endpoints by crafting request URLs in IPv4-mapped IPv6 notation, bypassing proxy exclusions. This can result in exposure of sensitive information, such as credentials, especially in cloud environments where instance metadata services are present.
Note: This is only exploitable if the attacker can control the request URL and the application is configured with NO_PROXY to exclude internal or metadata endpoints while using an HTTP/HTTPS proxy.