SCA: security update for axios (GHSA-pjwm-pj3p-43mv)

high Tenable Cloud Security Plugin ID 442471

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios does
not normalise IPv4-mapped IPv6 addresses. When NO_PROXY lists an IPv4 address such as 127.0.0.1 or
169.254.169.254, a request URL using the IPv4-mapped IPv6 form (::ffff:7f00:1, ::ffff:a9fe:a9fe) still
routes through the configured proxy. Node.js resolves these addresses to the underlying IPv4 host, so the
request reaches the internal service via the proxy rather than being blocked. This vulnerability is fixed
in 0.32.0 and 1.16.0. (CVE-2026-44492)

Solution

Update the axios library and its related packages to version 0.32.0 or later.

See Also

https://github.com/advisories/GHSA-pjwm-pj3p-43mv

Plugin Details

Severity: High

ID: 442471

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 5/29/2026

Updated: 6/15/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6

Percentile: 96.69

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2026-44492

CVSS v3

Risk Factor: High

Base Score: 8.6

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/29/2026

Vulnerability Publication Date: 5/29/2026

Reference Information

CVE: CVE-2026-44492

cwe: CWE-918