CVE-2026-44486: Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection
(updated )
Axios’ Node.js HTTP adapter can leak proxy credentials to a redirect target in affected versions. When a request is sent through an authenticated proxy, Axios may add a Proxy-Authorization header. If Axios then follows a redirect and the redirected request is no longer sent through that proxy, the stale Proxy-Authorization header can remain on the redirected request and be sent to the redirect target.
This affects Node.js’s use of Axios with automatic redirects enabled and an authenticated proxy configuration. Browser adapters are not affected.
Axios’ Node.js HTTP adapter can leak proxy credentials to a redirect target origin. When an initial request is sent through an authenticated HTTP proxy, Axios adds a Proxy-Authorization header. On redirect, Axios re-evaluates proxy settings, but if the redirected request no longer uses a proxy, the stale Proxy-Authorization header is not cleared. As a result, the redirect target can receive the proxy credential directly.
This issue affects the Node.js HTTP adapter and can be reproduced when the initial request uses HTTP_PROXY with authentication, redirects are enabled, and the redirected request is resolved to no proxy, such as when HTTPS_PROXY is unset or the redirect target is excluded by NO_PROXY.
References
- github.com/advisories/GHSA-j5f8-grm9-p9fc
- github.com/axios/axios/commit/afca61a070728e717203c2bc21e7b589b59b858b
- github.com/axios/axios/pull/10794
- github.com/axios/axios/releases/tag/v0.32.0
- github.com/axios/axios/releases/tag/v1.16.0
- github.com/axios/axios/security/advisories/GHSA-j5f8-grm9-p9fc
- nvd.nist.gov/vuln/detail/CVE-2026-44486
Code Behaviors & Features
Detect and mitigate CVE-2026-44486 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →