Description
The fix for no_proxy hostname normalization bypass (#10661) is incomplete.When no_proxy=localhost is set, requests to 127.0.0.1 and [::1] still route through the proxy instead of bypassing it.
The shouldBypassProxy() function does pure string matching — it does not resolve IP aliases or loopback equivalents.
Recommendation
Update the axios package to the latest compatible version. Followings are version details:
Affected version(s): **<= 0.31.0 >= 1.0.0, < 1.15.1** Patched version(s): **0.31.1 1.15.1**
References
Related Issues
- Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy - CVE-2026-42041
- SillyTavern: Incomplete IP validation in /api/search/visit allows SSRF via localhost and IPv6 - CVE-2026-34526
- Neotoma: Unauthenticated Inspector/API access via reverse-proxy loopback auth bypass - CVE-2026-45577
- hemmelig allows SSRF Filter bypass via Secret Request functionality - CVE-2025-69206
You might also like:
- Tags:
- npm
- axios
Anything's wrong? Let us know Last updated on May 05, 2026