Description
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, he fix for no_proxy hostname normalization bypass is incomplete. When no_proxy=localhost is set, requests to 127.0.0.1 and [::1] still route through the proxy instead of bypassing it. The shouldBypassProxy() function does pure string matching — it does not resolve IP aliases or loopback equivalents. This vulnerability is fixed in 1.15.1 and 0.31.1.
Remediation
References
Related Vulnerabilities
WordPress Plugin AppPresser-Mobile App Framework Cross-Site Scripting (1.1.4)
WordPress Plugin Google Captcha (reCAPTCHA) by BestWebSoft Security Bypass (1.12)
Envoy Proxy Improper Input Validation Vulnerability (CVE-2019-9900)
Oracle Database Server CVE-2008-0346 Vulnerability (CVE-2008-0346)
WordPress Plugin Mini Mail Dashboard Widget Cross-Site Scripting (1.42)