AI description
CVE-2025-62718 is a vulnerability affecting Axios, a promise-based HTTP client for browsers and Node.js, specifically in versions prior to 1.15.0. The issue stems from Axios's incorrect handling of hostname normalization when evaluating `NO_PROXY` rules. This flaw allows requests to loopback addresses, such as `localhost.` (with a trailing dot) or `[::1]` (an IPv6 literal), to bypass `NO_PROXY` configurations and be routed through a proxy. This normalization bypass can lead to proxy bypass and Server-Side Request Forgery (SSRF) vulnerabilities. Attackers could exploit this to force requests through a proxy, potentially gaining unauthorized access to sensitive loopback or internal services that are intended to be protected by `NO_PROXY` settings. The vulnerability is resolved in Axios version 1.15.0.
- Description
- Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0 and 0.31.0.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
- Products
- axios
CVSS 4.0
- Type
- Secondary
- Base score
- 6.3
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- MEDIUM
CVSS 3.1
- Type
- Primary
- Base score
- 9.9
- Impact score
- 5.3
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
- Severity
- CRITICAL
- security-advisories@github.com
- CWE-441
- Hype score
- Not currently trending
🔴 Axios, NO_PROXY Loopback Bypass, #CVE-2025-62718 (Critical) https://t.co/b0rkAk6ZJ6
@dailycve
5 May 2026
74 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Group(betwick, vicduong, Hisokaaa) claims Polymarket compromise: 1,609-user PII DB, hardcoded API keys, CVE-2025-62718, CVE-2025-27152, CVE-2024-51479, and alleges $2.5M insider trading on US-Iran markets.
@shadowcatLabs
30 Apr 2026
98 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
🔍 Lambda Watchdog detected that CVE-2025-62718 is no longer present in latest AWS Lambda base image scans. https://t.co/9dlFffg6Zv #AWS #Lambda #Security #CVE #DevOps #SecOps
@LambdaWatchdog
24 Apr 2026
132 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVSS 9.3: Axios CVE-2025-62718 is under active exploitation—hackers can manipulate server requests, potentially exposing sensitive data. Patch now to safeguard your systems. #NerdieNews #CyberSecurity #InfoSec #ZeroDay #DataBreach #Adobe #Apple https://t.co/ngtPLj409P
@NewsNerdie
14 Apr 2026
122 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Axios CVE-2025-62718 allows a critical NO_PROXY bypass via hostname normalization errors. Protect your internal network from SSRF—patch or normalize today! #AxiosVulnerability #CyberSecurity #SSRF #InfoSec #NodeJS #WebDev https://t.co/FVqKkYkynj https://t.co/U8wtJItO2r
@the_yellow_fall
14 Apr 2026
821 Impressions
6 Retweets
14 Likes
4 Bookmarks
0 Replies
0 Quotes
A NO_PROXY hostname normalization bypass (CVE-2025-62718) in `Axios` could lead to SSRF. Implement strict input validation and monitor for patches. #Axios #SSRF #infosec https://t.co/WXaOC4cAHG
@pulsepatchio
11 Apr 2026
244 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Critical Axios flaw: CVE-2025-62718 A NO_PROXY hostname normalization bypass could expose internal services and weaken proxy-based protections. Update to the patched version now. 🔗 https://t.co/9DxECL7lYV #CyberSecurity #Axios #CVE202562718 #Vulert https://t.co/TCbiiUdB2V
@vulert_official
10 Apr 2026
222 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
csirt_it: ‼ #Axios: disponibile #PoC per lo sfruttamento della CVE-2025-62718, presente nella nota libreria open source Rischio: 🔴 Tipologia: 🔸 Information Disclosure 🔸 Spoofing 🔗 https://t.co/2svV2NWHHY ⚠ Importante mantenere aggiornati i sist… https://t.co
@Vulcanux_
10 Apr 2026
175 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
‼ #Axios: disponibile #PoC per lo sfruttamento della CVE-2025-62718, presente nella nota libreria open source Rischio: 🔴 Tipologia: 🔸 Information Disclosure 🔸 Spoofing 🔗 https://t.co/QtFHPBplYq ⚠ Importante mantenere aggiornati i sistemi https://t.co/6gBaSyUaD
@csirt_it
10 Apr 2026
362 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
🚨 New CRITICAL CVE detected in AWS Lambda 🚨 CVE-2025-62718 impacts axios in 4 Lambda base images. Details: https://t.co/9dlFffg6Zv More: https://t.co/6EUGaPyRZk #AWS #Lambda #CVE #CloudSecurity #Serverless
@LambdaWatchdog
10 Apr 2026
147 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-62718 Proxy Bypass and SSRF via Hostname Normalization in Axios Before 1.15.0 https://t.co/JhQG7A0nY0
@VulmonFeeds
9 Apr 2026
186 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-62718 Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules… https://t.co/NPkSPMTV1M
@CVEnew
9 Apr 2026
271 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CVE-2025-62718: Axios has a NO_PROXY Hostname No... Hostname normalization bypass in Axios lets attackers proxy-hop past NO_PROXY protections with trailing dots and IPv6 l... https://t.co/K0GpVbS68F #netsec #vulnerability #CVE #sysadmin #zeroday
@0dayPublishing
9 Apr 2026
207 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:axios:axios:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "E420AFD0-4C1B-4C44-A578-D6B90BF40F08",
"versionEndExcluding": "0.31.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:axios:axios:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "E0DF6CEE-CC97-4C5F-A81B-6F1A6D77D4CC",
"versionEndExcluding": "1.15.0",
"versionStartIncluding": "1.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]