Executive Summary

This vulnerability occurs in Axios versions prior to 0.32.0 and 1.16.0, where the HTTP client does not properly normalize IPv4-mapped IPv6 addresses when checking the NO_PROXY environment variable.

When NO_PROXY lists IPv4 addresses like 127.0.0.1 or 169.254.169.254, requests using the IPv4-mapped IPv6 notation (such as ::ffff:7f00:1 or ::ffff:a9fe:a9fe) are incorrectly routed through the configured proxy instead of being bypassed.

Node.js resolves these IPv4-mapped IPv6 addresses to their IPv4 equivalents, but Axios's shouldBypassProxy function and proxy-from-env library do not recognize this mapping, causing the proxy to be used unintentionally.

This flaw allows requests intended to bypass the proxy to be routed through it, potentially exposing internal or metadata endpoints.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to sensitive internal or metadata service requests being routed through a proxy when they should be bypassed.

As a result, it may expose internal endpoints or cloud metadata services to the proxy, increasing the risk of credential exfiltration or unauthorized access.

The attack is network-based, requires no privileges or user interaction, and has a high severity score (CVSS 8.6), making it a significant security risk.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves Axios versions 1.0.0 to 0.31.1 improperly handling IPv4-mapped IPv6 addresses in the NO_PROXY environment variable, causing requests to internal addresses to route through a proxy unexpectedly.

To detect this vulnerability on your system, you can check the Axios version used in your projects or dependencies to see if it falls within the affected range (prior to 0.32.0 and 1.16.0).

You can also test if requests to internal IP addresses using IPv4-mapped IPv6 notation (e.g., ::ffff:7f00:1 for 127.0.0.1) are bypassing the NO_PROXY setting and going through the proxy.

• Check Axios version: `npm list axios` or `yarn list axios`
• Test HTTP requests with IPv4-mapped IPv6 addresses and observe if they are routed through the proxy despite NO_PROXY settings.
• Use network monitoring tools (e.g., tcpdump, Wireshark) to capture traffic and verify if requests to internal IPs are sent via the proxy.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade Axios to a fixed version where this vulnerability is resolved.

• Upgrade Axios to version 0.32.0 or later, or 1.16.0 or later.

Until the upgrade can be applied, avoid relying solely on NO_PROXY to exclude internal IP addresses, especially when using IPv4-mapped IPv6 notation.

• Manually validate and normalize IP addresses in your application logic to prevent proxy bypass.
• Review proxy configurations and consider additional network-level controls to block unintended proxy routing.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows requests that should be blocked by NO_PROXY settings to instead be routed through a proxy, potentially exposing internal or metadata endpoints. Such exposure can lead to credential exfiltration in cloud environments.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, the potential for unauthorized access to internal services and credential leakage could lead to violations of data protection and privacy regulations that require safeguarding sensitive information.

Useful 0 Not Useful 0