CVE-2025-62718

| EUVD-2025-209381 CRITICAL
2026-04-09 GitHub_M GHSA-3p68-rc4w-qgx5
9.3
CVSS 4.0
Share

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch Released
Apr 09, 2026 - 20:30 nvd
Patch available
EUVD ID Assigned
Apr 09, 2026 - 15:00 euvd
EUVD-2025-209381
Analysis Generated
Apr 09, 2026 - 15:00 vuln.today
CVE Published
Apr 09, 2026 - 14:31 nvd
CRITICAL 9.3

Tags

SSRF Node.js Axios

Description

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0.

Analysis

Hostname normalization bypass in Axios (JavaScript HTTP client) versions prior to 1.15.0 allows unauthenticated remote attackers to circumvent NO_PROXY configuration rules and force HTTP requests through configured proxies. Attackers can exploit malformed loopback addresses (localhost. with trailing dot, [::1] IPv6 literals) to bypass proxy restrictions and conduct Server-Side Request Forgery (SSRF) attacks against protected internal services. Publicly available exploit code exists. Affects all Axios implementations in Node.js and browser environments with NO_PROXY configurations.

Technical Context

Root cause is CWE-441 (Unintended Proxy or Intermediary) in Axios proxy bypass logic. The library fails to canonicalize hostnames per RFC 1034/3986 before matching NO_PROXY rules. Non-normalized loopback representations (trailing dots in DNS names, IPv6 bracket notation) evade string-based NO_PROXY filters, routing requests through proxies despite developer intent to exclude localhost/internal ranges.

Affected Products

axios (vendor: axios) versions prior to 1.15.0. CPE: cpe:2.3:a:axios:axios:*:*:*:*:*:*:*:* (all versions < 1.15.0). Impacts Node.js server-side applications and browser-based JavaScript clients using Axios with NO_PROXY or proxy configuration.

Remediation

Vendor-released patch: Upgrade to Axios 1.15.0 immediately. The fix implements RFC-compliant hostname normalization before NO_PROXY matching (commit fb3befb6daac6cad26b2e54094d0f2d9e47f24df). Advisory URL: https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5. For environments unable to upgrade immediately, implement strict network egress controls at firewall/infrastructure layer to block proxy access to loopback/RFC1918 addresses. Review all NO_PROXY configurations and validate that critical internal services are not accessible via proxy routes. Avoid reliance on application-layer NO_PROXY rules as sole SSRF protection until patched.

Priority Score

46
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +46
POC: 0

Share

CVE-2025-62718 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy