VulWall Team February 18, 2026 4 min read

Axios Library May Leak Proxy Credentials During Web Requests

Your application uses a JavaScript library called Axios to make web requests. A flaw in one of its supporting components means that if your app routes traffic through an authenticated proxy server, those proxy login credentials could be accidentally sent to the wrong destination when a redirect occurs. This only affects you if your app uses proxy authentication — if it doesn't, you're not at risk.

OWASP A02 Effort: trivial Exploitable
cve axios follow-redirects proxy credential-leak information-disclosure dependency npm javascript node

Business Impact And Actions

medium urgency

Business Impact

If your infrastructure uses authenticated proxies (common in corporate or regulated environments), this flaw could expose those credentials to third-party servers. Leaked proxy credentials could allow unauthorised access to your internal network or services sitting behind that proxy. This may also be a flag in compliance audits that require dependency vulnerability management.

What To Do

  1. Ask your developer to check whether your application uses Axios and, if so, what version — and whether it routes requests through a proxy with a username and password.
  2. If proxy authentication is in use, treat this as a priority fix: ask your developer to upgrade Axios to version 1.6.8 or later this sprint.
  3. If your app does not use authenticated proxies, schedule the upgrade as routine maintenance within the next 4–6 weeks.
  4. After upgrading, ask your developer to run 'npm audit' to confirm no further known vulnerabilities remain in your dependencies.

Axios < 1.6.8 / follow-redirects < 1.15.6 — Proxy-Authorization Header Leak on Cross-Domain Redirect (CVE-2024-28849)

medium severity CVSS 6.5

Vulnerability Explanation

Axios delegates HTTP redirect handling to its transitive dependency `follow-redirects`. When a redirect crosses domain boundaries, `follow-redirects` correctly strips the `Authorization` and `Cookie` headers to prevent credential leakage — but it fails to strip the `Proxy-Authorization` header. This means any proxy credentials set on the original request are forwarded verbatim to the redirect destination, which may be an untrusted third-party server. An attacker who controls or can influence the redirect target (e.g., via a compromised CDN, DNS manipulation, or a server-side redirect they influence) can capture the `Proxy-Authorization` header value.

Root Cause

The `removeMatchingHeaders` call in `follow-redirects/index.js` used a regex that matched `authorization` and `cookie` but omitted `proxy-authorization`. This was an oversight in the header sanitization logic — the library treated proxy credentials as non-sensitive during redirect handling, contrary to the Fetch specification's authentication-entries requirements.

Technical Impact

An attacker who can trigger or influence a cross-domain redirect can capture the `Proxy-Authorization` header, obtaining proxy credentials. These credentials may grant access to internal network resources, privileged services behind the proxy, or be reused in further attacks. Confidentiality impact is high; integrity and availability are unaffected.

Severity Justification

CVSS 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). Network-exploitable with low complexity, but requires the victim application to be configured with proxy authentication AND for an attacker to be able to trigger or observe a cross-domain redirect. Most small SaaS apps do not use authenticated proxies, significantly reducing real-world exposure.

Affected Components

  • axios < 1.6.8
  • follow-redirects < 1.15.6

Remediation Steps

  1. Upgrade axios to version 1.6.8 or later — this pulls in follow-redirects ≥ 1.15.6 as a dependency: `npm install axios@latest` or `yarn add axios@latest`.
  2. If follow-redirects is also a direct dependency in your project, upgrade it explicitly: `npm install follow-redirects@latest`.
  3. Run `npm ls follow-redirects` to confirm no other packages in your dependency tree are pinning an older version of follow-redirects.
  4. Run `npm audit` to verify CVE-2024-28849 no longer appears in your audit report.
  5. If your app uses proxy authentication, rotate any proxy credentials as a precaution — you cannot determine retrospectively whether they were leaked.

Verification Steps

  1. Run `npm ls axios` and confirm the installed version is 1.6.8 or higher.
  2. Run `npm ls follow-redirects` and confirm all resolved versions are 1.15.6 or higher.
  3. Run `npm audit` and verify CVE-2024-28849 / GHSA-cxjh-pqwp-8mfp is no longer listed.
  4. In CI/CD, add `npm audit --audit-level=moderate` as a pipeline gate to catch regressions.

Code Examples (json)

Vulnerable
// package.json — vulnerable
{
  "dependencies": {
    "axios": "^0.21.4"
  }
}
Fixed
// package.json — fixed
{
  "dependencies": {
    "axios": "^1.6.8"
  }
}

Best Practices

  • Pin or range-lock major dependency versions and run `npm audit` in CI on every pull request to catch newly disclosed CVEs early.
  • Use `npm ls <package>` or a Software Composition Analysis (SCA) tool to audit transitive dependencies — vulnerabilities often live one or two levels deep.
  • If your application routes outbound requests through an authenticated proxy, treat proxy credentials with the same sensitivity as API keys: rotate them periodically and store them in a secrets manager, not in environment files.
  • Prefer the native `fetch` API (Node 18+) or a well-maintained HTTP client for new projects to reduce transitive dependency surface.

References

Found this in your infrastructure?

VulWall scans for this and dozens of other issues automatically.

Scan Your Domain Free
Back to Knowledge Base