CVE-2025-62718 Overview
CVE-2025-62718 is a Server-Side Request Forgery (SSRF) vulnerability in Axios, a widely-used promise-based HTTP client for both browser and Node.js environments. The vulnerability exists in versions prior to 1.15.0, where Axios fails to correctly handle hostname normalization when checking NO_PROXY rules. This flaw allows requests to loopback addresses such as localhost. (with a trailing dot) or [::1] (IPv6 literal) to bypass NO_PROXY matching and route through configured proxies, contrary to developer expectations.
Critical Impact
Attackers can exploit this vulnerability to force HTTP requests through a proxy even when NO_PROXY is configured to protect loopback or internal services, potentially enabling SSRF attacks against sensitive internal infrastructure.
Affected Products
- Axios versions prior to 1.15.0
- Node.js applications using vulnerable Axios versions
- Browser applications using vulnerable Axios versions
Discovery Timeline
- 2026-04-09 - CVE CVE-2025-62718 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2025-62718
Vulnerability Analysis
The vulnerability resides in how Axios processes hostname values when determining whether a request should bypass proxy settings based on the NO_PROXY environment variable. According to RFC 1034 and RFC 3986, hostnames can be represented in various forms including with trailing dots (Fully Qualified Domain Names) and IPv6 literals enclosed in brackets.
Prior to the fix, Axios did not normalize these hostname representations before comparing them against NO_PROXY entries. This meant that while localhost would correctly match a NO_PROXY entry, the equivalent localhost. or [::1] representations would fail to match, causing requests to unexpectedly route through the configured proxy.
Root Cause
The root cause is classified as CWE-441 (Unintended Proxy or Intermediary). The vulnerability stems from incomplete hostname normalization logic that fails to account for:
- Trailing dot notation - FQDNs ending with a dot (e.g., localhost.) are technically equivalent to their non-dotted counterparts but were not being normalized
- IPv6 literal brackets - IPv6 addresses enclosed in brackets (e.g., [::1]) were not being properly parsed and compared against NO_PROXY entries
- Port handling inconsistencies - Default port mappings for various protocols were not being applied consistently during comparison
Attack Vector
An attacker can exploit this vulnerability by crafting requests using non-normalized hostname representations. When an application uses Axios with proxy and NO_PROXY configurations, the attacker can force sensitive requests to route through a malicious or unintended proxy by using:
- localhost. instead of localhost
- [::1] instead of normalized IPv6 representations
- Internal hostnames with trailing dots
This enables potential SSRF attacks where the attacker can intercept or redirect traffic destined for internal services that were intended to bypass proxy routing.
The security fix introduces a new shouldBypassProxy helper module that properly handles hostname normalization:
const DEFAULT_PORTS = {
http: 80,
https: 443,
ws: 80,
wss: 443,
ftp: 21,
};
const parseNoProxyEntry = (entry) => {
let entryHost = entry;
let entryPort = 0;
if (entryHost.charAt(0) === '[') {
const bracketIndex = entryHost.indexOf(']');
if (bracketIndex !== -1) {
const host = entryHost.slice(1, bracketIndex);
const rest = entryHost.slice(bracketIndex + 1);
if (rest.charAt(0) === ':' && /^\d+$/.test(rest.slice(1))) {
entryPort = Number.parseInt(rest.slice(1), 10);
}
return [host, entryPort];
}
}
const firstColon = entryHost.indexOf(':');
const lastColon = entryHost.lastIndexOf(':');
Source: GitHub Axios Commit Details
Detection Methods for CVE-2025-62718
Indicators of Compromise
- Unexpected outbound proxy connections from internal services that should bypass proxy settings
- HTTP requests to internal services (localhost, 127.0.0.1, ::1) routing through corporate proxies
- Application logs showing proxy headers on requests destined for loopback addresses
- Network traffic analysis revealing internal service requests going through proxy infrastructure
Detection Strategies
- Review application dependencies using npm audit or yarn audit to identify vulnerable Axios versions
- Monitor network traffic for anomalous proxy routing of loopback-destined requests
- Implement application-level logging to track proxy bypass decisions
- Use software composition analysis (SCA) tools to identify affected packages across your codebase
Monitoring Recommendations
- Configure alerts for proxy traffic containing loopback addresses in the Host header
- Monitor for DNS queries or connections to internal services that unexpectedly traverse proxy infrastructure
- Implement egress traffic analysis to detect potential SSRF exploitation attempts
- Review application logs for requests using non-standard hostname formats (trailing dots, IPv6 literals)
How to Mitigate CVE-2025-62718
Immediate Actions Required
- Upgrade Axios to version 1.15.0 or later immediately
- Audit applications for Axios dependencies using npm ls axios or equivalent package manager commands
- Review NO_PROXY configurations to understand which services may have been exposed
- Implement network-level controls to restrict proxy access to internal services as a defense-in-depth measure
Patch Information
The vulnerability has been fixed in Axios version 1.15.0. The patch introduces proper hostname normalization in the shouldBypassProxy helper module, ensuring that:
- Trailing dots are stripped from FQDNs before comparison
- IPv6 literals are properly parsed and normalized
- Port comparisons use default port mappings when explicit ports are not specified
Users should upgrade to version 1.15.0 or later by running:
npm install axios@^1.15.0
# or
yarn upgrade axios@^1.15.0
For more details, see the GitHub Security Advisory GHSA-3p68-rc4w-qgx5 and the Axios v1.15.0 Release Notes.
Workarounds
- If immediate upgrade is not possible, implement additional network-level firewall rules to prevent proxy access to loopback addresses
- Configure web application firewalls to block requests with non-normalized hostname formats
- Consider implementing a custom HTTP agent that enforces hostname normalization before proxy decisions
- Use network segmentation to isolate sensitive internal services from proxy infrastructure
# Configuration example - Network-level workaround using iptables
# Block proxy traffic destined for loopback addresses
iptables -A OUTPUT -d 127.0.0.0/8 -p tcp --dport 3128 -j DROP
iptables -A OUTPUT -d ::1/128 -p tcp --dport 3128 -j DROP
# Verify Axios version in your project
npm ls axios
# Upgrade if version is below 1.15.0
npm update axios
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
