Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’s Node.js HTTP adapter may forward a Proxy-Authorization header to a redirected origin during specific proxy-to-direct redirect flows. This affects Node.js usage, where an initial HTTP request is sent through an authenticated HTTP proxy, redirects are followed, and the redirected URL is no longer proxied. Under affected redirect shapes, the final origin can receive the proxy credential that was intended only for the outbound proxy. This vulnerability is fixed in 0.32.0 and 1.16.0.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
Axios, a widely-used HTTP client library for Node.js and browsers, contains a critical credential leakage vulnerability in its HTTP adapter. When an authenticated request is sent through an HTTP proxy and then redirected to a non-proxied origin, the Proxy-Authorization header may be forwarded to the final destination, exposing proxy credentials to untrusted servers. This affects any Node.js application using Axios versions before 0.32.0 or 1.16.0 that relies on authenticated proxy infrastructure, particularly in enterprise environments where HTTP proxies enforce network security policies. The vulnerability is classified as CWE-201 (Exposure of Sensitive Information Through Output), representing a direct information disclosure risk that could compromise proxy authentication credentials used across an organization's infrastructure.
While this CVE maps to no specific MITRE ATT&CK techniques (reflecting its nature as a library-level credential exposure rather than an exploitation technique), Casky's security skills would identify attack patterns associated with credential harvesting and lateral movement. Practitioners using Casky's extended reasoning capabilities would detect suspicious HTTP traffic flows showing credential headers reaching unexpected destinations, or anomalous redirect chains that transition from authenticated to unauthenticated contexts. By analyzing request/response patterns across Axios client implementations, security teams would recognize the hallmarks of this vulnerability: initial proxy-authenticated requests followed by Location headers pointing to external origins, with corresponding credential leakage in downstream connections. This detection approach aligns with the Casky platform's ability to map behavioral indicators to the underlying technical flaws, enabling rapid patching and mitigation before proxy credentials are compromised in the wild.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-44487. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation