An SSRF vulnerability in Axios allows attackers to bypass proxy configurations by exploiting improper handling of IPv4-mapped IPv6 addresses.

The shouldBypassProxy function in Axios does not correctly recognize IPv4-mapped IPv6 addresses. This allows an attacker to bypass NO_PROXY settings, potentially leading to Server-Side Request Forgery (SSRF) and allowing unauthorized access to internal network resources.

With a CVSS score of 8.6, this vulnerability facilitates SSRF, which can allow an attacker to interact with internal services that are not exposed to the public internet. This could result in the unauthorized retrieval of internal data, internal service discovery, or the exploitation of other internal-only vulnerabilities, creating a significant risk to internal network security.

Immediate Action: Update the Axios library to version 1.16.0 or 0.32.0 to resolve the proxy bypass logic error.

Proactive Monitoring: Monitor server-side network logs for requests directed at internal IP addresses or services that should be shielded by proxy bypass configurations.

Compensating Controls: Implement strict firewall rules to ensure that application servers cannot initiate unauthorized connections to sensitive internal segments, regardless of proxy configuration.

Public Exploit Available: true

The potential for SSRF makes this a critical security concern for any environment relying on internal service segmentation. Organizations should update Axios to the recommended versions immediately and review their network egress policies to ensure internal resources are properly protected.