- Description
- Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0.
- Source
- security-advisories@github.com
- NVD status
- Awaiting Analysis
CVSS 4.0
- Type
- Secondary
- Base score
- 9.3
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- CRITICAL
- security-advisories@github.com
- CWE-441
- Hype score
- Not currently trending
A NO_PROXY hostname normalization bypass (CVE-2025-62718) in `Axios` could lead to SSRF. Implement strict input validation and monitor for patches. #Axios #SSRF #infosec https://t.co/WXaOC4cAHG
@pulsepatchio
11 Apr 2026
244 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Critical Axios flaw: CVE-2025-62718 A NO_PROXY hostname normalization bypass could expose internal services and weaken proxy-based protections. Update to the patched version now. 🔗 https://t.co/9DxECL7lYV #CyberSecurity #Axios #CVE202562718 #Vulert https://t.co/TCbiiUdB2V
@vulert_official
10 Apr 2026
222 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
csirt_it: ‼ #Axios: disponibile #PoC per lo sfruttamento della CVE-2025-62718, presente nella nota libreria open source Rischio: 🔴 Tipologia: 🔸 Information Disclosure 🔸 Spoofing 🔗 https://t.co/2svV2NWHHY ⚠ Importante mantenere aggiornati i sist… https://t.co
@Vulcanux_
10 Apr 2026
175 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
‼ #Axios: disponibile #PoC per lo sfruttamento della CVE-2025-62718, presente nella nota libreria open source Rischio: 🔴 Tipologia: 🔸 Information Disclosure 🔸 Spoofing 🔗 https://t.co/QtFHPBplYq ⚠ Importante mantenere aggiornati i sistemi https://t.co/6gBaSyUaD
@csirt_it
10 Apr 2026
362 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
🚨 New CRITICAL CVE detected in AWS Lambda 🚨 CVE-2025-62718 impacts axios in 4 Lambda base images. Details: https://t.co/9dlFffg6Zv More: https://t.co/6EUGaPyRZk #AWS #Lambda #CVE #CloudSecurity #Serverless
@LambdaWatchdog
10 Apr 2026
147 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-62718 Proxy Bypass and SSRF via Hostname Normalization in Axios Before 1.15.0 https://t.co/JhQG7A0nY0
@VulmonFeeds
9 Apr 2026
186 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-62718 Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules… https://t.co/NPkSPMTV1M
@CVEnew
9 Apr 2026
271 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CVE-2025-62718: Axios has a NO_PROXY Hostname No... Hostname normalization bypass in Axios lets attackers proxy-hop past NO_PROXY protections with trailing dots and IPv6 l... https://t.co/K0GpVbS68F #netsec #vulnerability #CVE #sysadmin #zeroday
@0dayPublishing
9 Apr 2026
207 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes