Description
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0 and 0.31.0.
Published: 2026-04-09
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Server Side Request Forgery via proxy bypass
Action: Immediate Patch
AI Analysis

Impact

Axios can incorrectly skip NO_PROXY checks when a hostname appears in a trailing‑dot form such as "localhost." or uses the IPv6 literal "[::1]". This oversight indicates a hostname normalization weakness (CWE‑1289) and a misinterpretation of proxy configuration (CWE‑441), allowing requests to be sent through a configured proxy even when NO_PROXY is intended to protect internal or loopback addresses. The result is that an attacker can force Axios to send internal or otherwise protected traffic to any target, creating a vulnerability that could be used for SSRF (CWE‑918), data exfiltration, or denial of service against hidden services. The impact therefore spans confidentiality, integrity, and availability of resources that were assumed to be safe from external reach. Based on the description, it is inferred that the attack vector requires an attacker to induce the application to issue HTTP requests via Axios that trigger the NO_PROXY bypass, allowing external traffic to reach internal endpoints through a proxy.

Affected Systems

Axios, the promise‑based HTTP client for browsers and Node.js, is affected when it is older than version 1.15.0 or 0.31.0. Any application that imports or requires Axios from these older releases, whether running in a browser environment or a Node.js runtime, is vulnerable. The flaw exists in both the browser and Node.js builds and applies to any configuration that relies on the NO_PROXY environment variable or its equivalent.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.3, classifying it as medium. The EPSS score of <1% indicates a low exploitation probability, suggesting that while the flaw could be used for SSRF, it is currently unlikely to be exploited widely. The attack requires the ability to influence the Axios request or configuration; once that is possible, the attacker can force traffic through a proxy to internal endpoints, potentially executing SSRF against protected services.

Generated by OpenCVE AI on April 18, 2026 at 09:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Axios to version 1.15.0 or 0.31.0 (or newer) to resolve the NO_PROXY normalization issue.
  • After upgrading, test NO_PROXY handling by requesting "localhost.", "localhost", and "[::1]" to confirm that loopback traffic is not forwarded through proxies.
  • If an immediate upgrade is unavailable, temporarily disable Axios proxy usage for any sensitive requests, or add application‑level validation that rejects URLs pointing to internal networks.

Generated by OpenCVE AI on April 18, 2026 at 09:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3p68-rc4w-qgx5 Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF
History

Thu, 16 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Title Axios has a NO_PROXY Hostname Normalization Bypass Leads to SSRF Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L'}

 cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Tue, 14 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:axios:axios:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L'}

 cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L'}

Tue, 14 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Description Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0. Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0 and 0.31.0.
References

Sat, 11 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1289
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L'}

threat_severity

Important

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Axios
Axios axios
Vendors & Products Axios
Axios axios

Thu, 09 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0.
Title Axios has a NO_PROXY Hostname Normalization Bypass Leads to SSRF
Weaknesses CWE-441
CWE-918
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L'}

Subscriptions

Axios Axios
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-16T18:44:20.705Z

Reserved: 2025-10-20T19:41:22.741Z

Link: CVE-2025-62718

cve-icon Vulnrichment

Updated: 2026-04-09T15:02:59.773Z

cve-icon NVD

Status : Modified

Published: 2026-04-09T15:16:08.650

Modified: 2026-04-16T19:16:33.063

Link: CVE-2025-62718

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-09T14:31:46Z

Links: CVE-2025-62718 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:45:25Z

Weaknesses