Axios, a promise‑based HTTP client for Node.js and browsers, contains a server‑side request forgery flaw. The no_proxy hostname normalization logic performs only a pure string comparison and fails to resolve IP aliases or loopback equivalents, so when no_proxy=localhost is set, requests to 127.0.0.1 or ::1 are incorrectly routed through the proxy. This allows an attacker to force the client to send traffic from the application to internal services that are normally accessible only within the host, enabling data exfiltration or internal service exploitation. The vulnerability is a CWE‑918 type flaw involving improper handling of network request parameters and also relates to CWE‑1220, where third‑party functions are used in a context that can expose sensitive data.

The axios library itself is affected; all releases older than 1.15.1 on the main line and older than 0.31.1 on the older major line are vulnerable. Any application that incorporates one of those releases and configures no_proxy to exclude localhost is at risk if it sends outbound requests through Axios.

The CVSS score of 6.8 indicates moderate severity, and the EPSS score of less than 1% suggests that active exploitation is currently rare. The vulnerability is not listed in the National Cyber Awareness System KEV catalog. Based on the description, it is inferred that an attacker would need the ability to influence the no_proxy configuration or supply a crafted URL that triggers the bypass; the flaw is exploitable in a server context without user interaction, making it a valid SSRF path to internal resources if the application relies on Axios for outbound traffic.