CVE-2026-44486 (HIGH): detected in Lambda Docker Images.

[the-lambda-watchdog]

CVE Details

CVE ID	Severity	Affected Package	Installed Version	Fixed Version	Date Published	Date of Scan
CVE-2026-44486	HIGH	axios	1.15.2	1.16.0, 0.32.0	2026-06-11T17:16:32.45Z	2026-06-12T10:18:16.790052646Z

---

Affected Docker Images

Image Name	SHA
public.ecr.aws/lambda/nodejs:latest	public.ecr.aws/lambda/nodejs@sha256:5fc0a885aec5f7af983d873496774cc8151a64b4b0be567b2c5707b0441c4f63
public.ecr.aws/lambda/nodejs:24	public.ecr.aws/lambda/nodejs@sha256:dbb877d56e710380d86a0ad9ab48a53ffa0977cbabebd6ae0db366a4cc88b20e
public.ecr.aws/lambda/nodejs:22	public.ecr.aws/lambda/nodejs@sha256:5fc0a885aec5f7af983d873496774cc8151a64b4b0be567b2c5707b0441c4f63

---

Description

Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’ Node.js HTTP adapter can leak proxy credentials to a redirect target in affected versions. When a request is sent through an authenticated proxy, Axios may add a Proxy-Authorization header. If Axios then follows a redirect and the redirected request is no longer sent through that proxy, the stale Proxy-Authorization header can remain on the redirected request and be sent to the redirect target. This affects Node.js's use of Axios with automatic redirects enabled and an authenticated proxy configuration. Browser adapters are not affected. This vulnerability is fixed in 0.32.0 and 1.16.0.

---

Remediation Steps

• Update the affected package axios from version 1.15.2 to 1.16.0, 0.32.0.

About this issue

• This issue may not contain all the information about the CVE nor the images it affects.
• This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
• For more, visit Lambda Watchdog.
• This issue was created automatically by Lambda Watchdog.