cbcvebase.
CVE-2025-62718
published 2026-04-09

CVE-2025-62718: Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when…

PriorityP262critical9.9CVSS 3.1
AVNACLPRNUINSCCHILAL
EPSS
1.19%
63.9th percentile
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0 and 0.31.0.

Affected

13 ranges
VendorProductVersion rangeFixed in
axiosaxios< 0.32.00.32.0
axiosaxios< 0.31.00.31.0
axiosaxios< 0.31.10.31.1
axiosaxios
axiosaxios>= 0 < 1.15.01.15.0
axiosaxios>= 0 < 0.31.00.31.0
axiosaxios>= 0 < 0.31.10.31.1
axiosaxios>= 0 < 0.32.00.32.0
axiosaxios>= 1.0.0 < 1.15.01.15.0
axiosaxios>= 1.0.0 < 1.15.11.15.1
axiosaxios>= 1.0.0 < 1.15.01.15.0
axiosaxios>= 1.0.0 < 1.15.11.15.1
axiosaxios>= 1.0.0 < 1.16.01.16.0

Detection & IOCsextracted from sources · hover to see the quote

  • Detect requests to loopback addresses using trailing-dot hostname normalization bypass (e.g., 'localhost.' with trailing dot) that may indicate exploitation of NO_PROXY bypass
  • Detect requests using IPv6 loopback literal [::1] as hostname in Axios-based applications where NO_PROXY is configured, as these bypass NO_PROXY matching
  • Flag server-side Axios usage where both HTTP_PROXY and NO_PROXY environment variables are set and attacker-controlled URLs are passed — prerequisite conditions for exploitation
  • ·Vulnerability only affects Axios versions prior to 1.15.0 (v1.x branch) and prior to 0.31.0 (v0.x branch); fixed versions are 1.15.0 and 0.31.0
  • ·Exploitation requires a non-default combination of conditions: attacker-controlled URLs in a server-side Axios context, both HTTP_PROXY and NO_PROXY configured, and a proxy positioned to act on or intercept the misdirected traffic

CVSS provenance

nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
nvdv4.06.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa9.3CRITICAL
vendor_redhat9.3CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.