Executive Summary

CVE-2026-44487 is a credential leak vulnerability in the Axios Node.js HTTP adapter. When an HTTP request is sent through an authenticated HTTP proxy and then redirected to a URL that is accessed directly (without the proxy), the Proxy-Authorization header intended only for the proxy is mistakenly forwarded to the final redirected origin server. This happens during specific HTTP-to-HTTPS redirect flows, causing the proxy credentials to be exposed to the final destination.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to the unintended disclosure of proxy authentication credentials to the final redirected server. Such exposure can compromise the confidentiality of your proxy credentials, potentially allowing unauthorized access or misuse of your proxy services. The impact primarily affects confidentiality and can be exploited when using Axios in Node.js environments with authenticated proxies and redirect following enabled.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability occurs when Axios in a Node.js environment forwards the Proxy-Authorization header to a redirected origin during specific proxy-to-direct redirect flows. Detection involves monitoring HTTP requests that use an authenticated HTTP proxy and follow redirects where the final request bypasses the proxy.

To detect this on your system or network, you can capture and inspect HTTP traffic to identify if Proxy-Authorization headers are being sent to unintended final destinations after redirects.

• Use network traffic capture tools like tcpdump or Wireshark to monitor outgoing HTTP requests and check for Proxy-Authorization headers sent to origin servers.
• Example tcpdump command to capture HTTP traffic on port 80 or 443: sudo tcpdump -i any -A 'tcp port 80 or tcp port 443'
• Use curl with verbose output to test Axios-like redirect behavior through a proxy and observe headers: curl -x http://proxy:port -L -v http://target-url

Since the vulnerability specifically involves Axios in Node.js, reviewing application logs or adding debugging in Axios HTTP adapter code to log headers sent on redirected requests can also help detect the issue.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps for this vulnerability include:

• Upgrade Axios to version 1.16.0 or later, or 0.32.0 or later, where the vulnerability is fixed.
• Disable automatic redirect following in Axios to prevent forwarding Proxy-Authorization headers to redirected origins.
• Avoid using reusable proxy credentials for requests to untrusted origins to reduce the risk of credential leakage.
• If exposure is suspected, rotate proxy credentials immediately.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in Axios’s Node.js HTTP adapter can lead to the unintended disclosure of proxy credentials to a redirected origin server. This leakage of sensitive authentication information primarily impacts confidentiality.

Such unauthorized disclosure of credentials could potentially violate data protection and privacy regulations like GDPR and HIPAA, which require safeguarding sensitive information and ensuring confidentiality.

Organizations using affected Axios versions in environments subject to these regulations should consider the risk of credential exposure and apply fixes or mitigations to maintain compliance.

Useful 0 Not Useful 0