CVE-2025-62718
Proxy Bypass and SSRF in Axios via NO_PROXY Hostname Handling
Publication date: 2026-04-09
Last updated on: 2026-04-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| axios | axios | to 1.15.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
| CWE-441 | The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2025-62718 vulnerability in Axios allows attackers to bypass NO_PROXY rules and force requests to internal or loopback services through a proxy. This can lead to Server-Side Request Forgery (SSRF) attacks, potentially exposing sensitive internal services and data.
Such unauthorized access and data exposure risks can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to sensitive personal and health information. The vulnerability undermines network security controls designed to prevent unauthorized data access or exfiltration, thereby increasing the risk of data breaches.
By allowing attackers to circumvent proxy restrictions and access internal services, this vulnerability could lead to confidentiality breaches and unauthorized data disclosure, which are critical compliance concerns under these regulations.
Can you explain this vulnerability to me?
CVE-2025-62718 is a critical security vulnerability in the Axios HTTP client library that arises from improper hostname normalization when evaluating NO_PROXY environment variable rules. Axios failed to correctly handle hostnames with trailing dots (e.g., "localhost.") and IPv6 literals (e.g., "[::1]") during proxy bypass checks. This flaw caused requests to loopback or internal addresses to bypass NO_PROXY rules and be routed through a proxy, contrary to developer expectations.
Because of this, attackers can exploit the vulnerability to force requests to internal or loopback services through an attacker-controlled proxy, enabling Server-Side Request Forgery (SSRF) attacks. This allows unauthorized access to sensitive internal services despite protections configured via NO_PROXY.
The vulnerability was fixed in Axios version 1.15.0 by introducing a hostname normalization helper that correctly handles trailing dots, bracketed IPv6 addresses, wildcards, and port matching to ensure NO_PROXY rules are properly enforced.
How can this vulnerability impact me? :
This vulnerability can have serious security impacts by allowing attackers to bypass proxy restrictions intended to protect internal or loopback services. Specifically, it enables Server-Side Request Forgery (SSRF) attacks where an attacker can coerce Axios to send requests through a proxy to sensitive internal endpoints that should have been excluded by NO_PROXY rules.
The impact includes unauthorized access to internal services, potential data exfiltration, and exposure of sensitive information. Attackers controlling request URLs can exploit this to reach internal network resources that are normally protected, undermining network segmentation and security controls.
The vulnerability has a high CVSS v4 base score of 9.3, indicating critical severity with high confidentiality impact, low integrity and availability impacts, and no required privileges or user interaction.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Axios incorrectly handling hostname normalization when evaluating NO_PROXY rules, allowing requests to loopback addresses like localhost. or [::1] to bypass proxy exclusions. To detect exploitation attempts on your network or system, you can monitor proxy logs for requests that should have been excluded by NO_PROXY but are still being proxied.
Specifically, look for requests targeting loopback addresses with trailing dots (e.g., "localhost.") or bracketed IPv6 literals (e.g., "[::1]") that are unexpectedly routed through the proxy.
Suggested commands or methods include:
- Check proxy server access logs for requests to loopback addresses with trailing dots or IPv6 literals.
- Use network packet capture tools (e.g., tcpdump, Wireshark) to filter HTTP requests containing hostnames like "localhost." or "[::1]" that are sent through proxies.
- On systems running Axios, audit the Axios version in use (e.g., via npm list axios) to identify vulnerable versions prior to 1.15.0.
- Review application logs or debug output for HTTP requests that unexpectedly use proxies despite NO_PROXY settings.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Axios to version 1.15.0 or later, where this vulnerability is fixed by properly normalizing hostnames and correctly applying NO_PROXY rules.
Additional immediate steps include:
- Audit your environment variables NO_PROXY and no_proxy to ensure they explicitly include loopback addresses such as localhost, localhost., and [::1].
- Temporarily disable proxy usage for internal or loopback addresses at the network or proxy configuration level if possible.
- Monitor and restrict outbound proxy traffic to prevent unauthorized requests to internal services.
- Apply network-level controls or firewall rules to block unexpected proxy traffic targeting loopback or internal IP addresses.
These steps help reduce the risk of SSRF and proxy bypass attacks until the Axios library is updated.