Executive Summary

CVE-2026-44486 is a vulnerability in the Axios library affecting its Node.js HTTP adapter in versions prior to 0.32.0 and 1.16.0. When Axios sends a request through an authenticated proxy, it adds a Proxy-Authorization header containing proxy credentials. If the request is redirected to a URL that no longer uses the proxy, the Proxy-Authorization header is not removed and is sent to the redirect target. This causes the proxy credentials to be leaked to the redirect destination, which could be controlled by an attacker.

This issue only affects Axios when used in Node.js with automatic redirects enabled and an authenticated proxy configuration. Browser adapters of Axios are not affected.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can lead to the exposure of sensitive proxy credentials to an attacker-controlled redirect target. If your application uses Axios with an authenticated HTTP proxy and automatic redirects, an attacker who controls a redirect server can capture your proxy credentials.

This exposure can allow unauthorized access to the proxy, potentially enabling the attacker to intercept or manipulate network traffic, leading to further security risks.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring HTTP requests sent from your Node.js applications using Axios versions prior to 0.32.0 and 1.16.0 that use an authenticated proxy with automatic redirects enabled.

Specifically, you should look for outgoing HTTP requests that include a Proxy-Authorization header being sent to redirect targets that do not require a proxy, which indicates that proxy credentials are leaking.

To detect this on your system or network, you can capture and inspect HTTP traffic using tools like tcpdump or Wireshark, filtering for Proxy-Authorization headers in redirected requests.

• Use tcpdump to capture HTTP traffic and filter for Proxy-Authorization headers: tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep 'Proxy-Authorization'
• Use Wireshark to filter HTTP requests containing Proxy-Authorization headers and check if they are sent to redirect targets.
• Review your application logs or add logging in your Node.js Axios HTTP adapter to detect when Proxy-Authorization headers are sent on redirected requests.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, you should upgrade Axios to version 0.32.0 or later (for 0.x versions) or 1.16.0 or later (for 1.x versions), where the issue is fixed.

If upgrading is not immediately possible, consider the following workarounds:

• Set the maxRedirects option in Axios to 0 to disable automatic redirects, preventing the Proxy-Authorization header from leaking.
• Avoid using authenticated proxy environment variables (like HTTP_PROXY) for requests to untrusted or external origins.
• Ensure consistent proxy configuration across protocols to prevent Axios from switching from a proxied request to a direct request during redirects.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability can lead to the exposure of sensitive proxy credentials to attacker-controlled redirect targets. Such unauthorized disclosure of sensitive information may result in non-compliance with data protection regulations and standards like GDPR and HIPAA, which require the protection of sensitive data and credentials.

Specifically, if proxy credentials are leaked, it could be considered a data breach under these regulations, potentially triggering legal and compliance consequences.

Useful 0 Not Useful 0