Package impact
npm / axios
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2026-42043 | critical | 10.0 | 10.0 | 1mo ago | Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0 | |
| CVE-2025-62718 | critical | 9.9 | 9.9 | 2mo ago | Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback… | |
| CVE-2026-42264 | critical | 9.1 | 9.1 | 20d ago | Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking | |
| CVE-2026-42044 | critical | 9.1 | 9.1 | 1mo ago | Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver` | |
| CVE-2026-42040 | low | 3.7 | 3.7 | 1mo ago | Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams |