CVE-2025-62718

MEDIUM EPSS 60.8%
Published Apr 9, 20262mo ago · Modified Jun 17, 20262w ago
6.3 CVSS 4.0
Medium
Find Similar
Published Apr 9, 2026 2mo ago
Last Modified Jun 17, 2026 2w ago

Description

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0 and 0.31.0.

CVSS Details

Base Score
6.3
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
60.8% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 2

CWE-441
CWE-918 Server-Side Request Forgery (SSRF) Validation

Affected Products 2

VendorProductVersionRange
axiosaxios* <0.31.0
axiosaxios*≥1.0.0  –  <1.15.0

References 9

  • datatracker.ietf.org https://datatracker.ietf.org/doc/html/rfc1034#section-3.1
    Technical Description
  • datatracker.ietf.org https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2
    Technical Description
  • github.com https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c
    Patch
  • github.com https://github.com/axios/axios/commit/fb3befb6daac6cad26b2e54094d0f2d9e47f24df
    Patch
  • github.com https://github.com/axios/axios/pull/10661
    Issue TrackingPatch
  • github.com https://github.com/axios/axios/pull/10688
    Issue Tracking
  • github.com https://github.com/axios/axios/releases/tag/v0.31.0
    Release Notes
  • github.com https://github.com/axios/axios/releases/tag/v1.15.0
    ProductRelease Notes
  • github.com https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5
    ExploitMitigationVendor Advisory

Remediation

  • github.com https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c
    Patch
  • github.com https://github.com/axios/axios/commit/fb3befb6daac6cad26b2e54094d0f2d9e47f24df
    Patch
  • github.com https://github.com/axios/axios/pull/10661
    Issue TrackingPatch