Donate Telegram

CVE-2025-62718

CRITICAL CVSS 4.0: 6.3 EPSS 0.03%

Apr 09, 2026

Updated Apr 16, 2026

Axios

Parameter	Value
CVSS	6.3 (CRITICAL)
Affected Versions	before 1.15.0
Fixed In	1.15.0
Type	CWE-441, CWE-918 (Server-Side Request Forgery (SSRF))
Vendor	Axios
Public PoC	No

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy.

This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0 and 0.31.0.

Attack Parameters

Attack Vector

Network

Can be exploited remotely

Attack Complexity

Low

Easy to exploit

Attack Requirements

Present

Additional conditions required

Privileges Required

None

No privileges needed

User Interaction

None

No user interaction needed

Impact Assessment

Confidentiality

Low

Partial data leak

Integrity

Low

Partial data modification

Availability

None

No disruption

CVSS Vector v4.0

Weakness Type (CWE)

CWE-918 Server-Side Request Forgery (SSRF)

Vulnerable Products 1

Configuration	From (including)	Up to (excluding)
Axios Axios cpe:2.3:a:axios:axios::::::node.js::*	—	`1.15.0`

References 9

https://datatracker.ietf.org/doc/html/rfc1034#section-3.1

security-advisories@github.com

https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2

security-advisories@github.com

https://github.com/axios/axios/commit/fb3befb6daac6cad26b2e54094d0f2d9e47f24df

security-advisories@github.com

https://github.com/axios/axios/pull/10661

security-advisories@github.com

https://github.com/axios/axios/releases/tag/v1.15.0

security-advisories@github.com

https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5

security-advisories@github.com

https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c

security-advisories@github.com

https://github.com/axios/axios/pull/10688

security-advisories@github.com

https://github.com/axios/axios/releases/tag/v0.31.0

security-advisories@github.com

Share Post Share Share Share

Related Vulnerabilities

CVE-2025-27152

Axios

CVE-2024-57965

Axios

CVE Details

CVE ID

CVE-2025-62718

Published Date

Apr 09, 2026

Vendor

Axios

Severity

CRITICAL

CVSS v4.0 Score

6.3

Medium severity. Plan remediation.

Exploit Prediction (EPSS)

Probability of Exploit 0.03%

Likelihood of exploitation in next 30 days

Percentile: 10.4th percentile (higher than 10.4% of all CVEs)

Standard patching cycle

Impact

Partial data disclosure

Partial data modification

Source

Editor's Choice