Bug 2487948 (CVE-2026-44487) - CVE-2026-44487 axios: Axios: Information disclosure of proxy credentials via redirect flows
Summary: CVE-2026-44487 axios: Axios: Information disclosure of proxy credentials via ...
Keywords:
Status: NEW
Alias: CVE-2026-44487
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2488158 2488159 2488160 2488161 2488162 2488163 2488164 2488166 2488167 2488168 2488169 2488171 2488175
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-11 17:01 UTC by OSIDB Bzimport
Modified: 2026-06-12 01:04 UTC (History)
120 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-11 17:01:57 UTC 
Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’s Node.js HTTP adapter may forward a Proxy-Authorization header to a redirected origin during specific proxy-to-direct redirect flows. This affects Node.js usage, where an initial HTTP request is sent through an authenticated HTTP proxy, redirects are followed, and the redirected URL is no longer proxied. Under affected redirect shapes, the final origin can receive the proxy credential that was intended only for the outbound proxy. This vulnerability is fixed in 0.32.0 and 1.16.0.
Note You need to log in before you can comment on or make changes to this bug.