9.9

CVE-2025-62718

Exploit

Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0 and 0.31.0.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
AxiosAxios SwPlatformnode.js Version < 0.31.0
AxiosAxios SwPlatformnode.js Version >= 1.0.0 < 1.15.0
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.19% 0.639
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.9 3.9 5.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
security-advisories@github.com 6.3 0 0
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 7 2.2 4.7
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
CWE-1289 Improper Validation of Unsafe Equivalence in Input

The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input is equivalent to a potentially-unsafe value.

CWE-441 Unintended Proxy or Intermediary ('Confused Deputy')

The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://github.com/axios/axios/pull/10661
Patch
Issue Tracking
https://github.com/axios/axios/commit/fb3befb6daac6cad26b2e54094d0f2d9e47f24df
Patch
https://datatracker.ietf.org/doc/html/rfc1034#section-3.1
Technical Description
https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2
Technical Description
https://github.com/axios/axios/releases/tag/v1.15.0
Product
Release Notes
https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c
Patch
https://github.com/axios/axios/pull/10688
Issue Tracking
https://github.com/axios/axios/releases/tag/v0.31.0
Release Notes
https://bugzilla.redhat.com/show_bug.cgi?id=2456913
https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-62718.json
https://access.redhat.com/errata/RHSA-2026:13571
https://access.redhat.com/errata/RHSA-2026:19375
https://access.redhat.com/errata/RHSA-2026:19712
https://access.redhat.com/errata/RHSA-2026:21017
https://access.redhat.com/errata/RHSA-2026:23361
https://access.redhat.com/errata/RHSA-2026:24977
https://access.redhat.com/errata/RHSA-2026:8483
https://access.redhat.com/errata/RHSA-2026:10175
https://access.redhat.com/errata/RHSA-2026:16874
https://access.redhat.com/errata/RHSA-2026:20889
https://access.redhat.com/errata/RHSA-2026:24853
https://access.redhat.com/errata/RHSA-2026:8484
https://access.redhat.com/errata/RHSA-2026:8490
https://access.redhat.com/errata/RHSA-2026:8491
https://access.redhat.com/errata/RHSA-2026:8493
https://access.redhat.com/errata/RHSA-2026:9742
https://access.redhat.com/errata/RHSA-2026:14937
https://access.redhat.com/errata/RHSA-2026:13826
https://access.redhat.com/errata/RHSA-2026:22465
https://access.redhat.com/errata/RHSA-2026:22840
https://access.redhat.com/errata/RHSA-2026:24761
https://access.redhat.com/errata/RHSA-2026:17657
https://access.redhat.com/errata/RHSA-2026:17699
https://access.redhat.com/errata/RHSA-2026:20938
https://access.redhat.com/errata/RHSA-2026:22629
https://access.redhat.com/errata/RHSA-2026:24471
https://access.redhat.com/errata/RHSA-2026:36882
https://access.redhat.com/errata/RHSA-2026:24866
https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5
Vendor Advisory
Exploit
Mitigation
https://access.redhat.com/errata/RHSA-2026:24766
https://access.redhat.com/errata/RHSA-2026:26010
https://access.redhat.com/security/cve/CVE-2025-62718