Description
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0.
Published: 2026-04-09
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Internal Network Exposure (SSRF)
Action: Immediate Patch
AI Analysis

Impact

Axios, a popular HTTP client for browsers and Node.js, contains a flaw in its NO_PROXY processing that allows loopback addresses such as localhost. (with a trailing dot) or the IPv6 literal [::1] to bypass the intended proxy exclusion list. Because hostname normalization is performed incorrectly, these requests are forwarded to the configured proxy. The result is that an attacker can force traffic to sensitive local or internal services that should not be reachable through the proxy, thereby creating a Server‑Side Request Forgery (SSRF) vulnerability.

Affected Systems

Applications that incorporate any Axios version prior to 1.15.0 and that rely on NO_PROXY to protect loopback or internal services are affected. This includes both browser‑side and server‑side code that configures a proxy for HTTP requests.

Risk and Exploitability

The CVSS score of 9.3 reflects a high severity and indicates that exploitation is likely to succeed in compromising confidentiality and availability of internal resources. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector is a request that reaches the application’s Axios instance, allowing an attacker to direct traffic through the proxy to internal loopback addresses and thereby achieve SSRF. The risk is compounded in environments where attackers can influence the request URL, such as compromised user input or malicious code execution within the application.

Generated by OpenCVE AI on April 9, 2026 at 16:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade axios to version 1.15.0 or newer
  • Verify NO_PROXY entries correctly exclude internal loopback addresses, ensuring that trailing dots or IPv6 literals are not inadvertently allowed
  • If an immediate upgrade is not possible, remove or restrict proxy usage for internal services to prevent unintended exposure

Generated by OpenCVE AI on April 9, 2026 at 16:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3p68-rc4w-qgx5 Axios has a NO_PROXY Hostname Normalization Bypass Leads to SSRF
History

Sat, 11 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1289
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L'}

threat_severity

Important

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Axios
Axios axios
Vendors & Products Axios
Axios axios

Thu, 09 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0.
Title Axios has a NO_PROXY Hostname Normalization Bypass Leads to SSRF
Weaknesses CWE-441
CWE-918
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L'}

Subscriptions

Axios Axios
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T16:15:31.322Z

Reserved: 2025-10-20T19:41:22.741Z

Link: CVE-2025-62718

cve-icon Vulnrichment

Updated: 2026-04-09T15:02:59.773Z

cve-icon NVD

Status : Received

Published: 2026-04-09T15:16:08.650

Modified: 2026-04-09T17:16:24.557

Link: CVE-2025-62718

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-09T14:31:46Z

Links: CVE-2025-62718 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:32:45Z

Weaknesses