Zero Day MonitorZDM

← Back to list

4.8

CVE-2025-62718EXPLOITEDPATCHED

axios · axios

Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF

Description

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0 and 0.31.0.

Affected Products

Vendor	Product	Versions
axios	axios	npm/axios: >= 1.0.0, < 1.15.0, npm/axios: < 0.31.0

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
ibm	app connect enterprise	cert_advisory	90%
ibm	license metric tool	cert_advisory	90%
npm	axios	GHSA	85%

References

Related News (5 articles)

Tier B

BSI Advisories3d ago

[NEU] [hoch] IBM License Metric Tool: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff

→ No new info (linked only)

Tier B

CERT-FR9d ago

Multiples vulnérabilités dans les produits Splunk (21 mai 2026)

→ No new info (linked only)

Tier B

BSI Advisories44d ago

[NEU] [hoch] IBM App Connect Enterprise: Mehrere Schwachstellen

→ No new info (linked only)

Tier A

Microsoft MSRC45d ago

CVE-2025-62718 Axios has a NO_PROXY Hostname Normalization Bypass Leads to SSRF

→ No new info (linked only)

Tier C

VulDB51d ago

CVE-2025-62718 | Axios up to 1.14.x NO_PROXY Normalization confused deputy (GHSA-3p68-rc4w-qgx5)

→ No new info (linked only)

CVSS 3.14.8 MEDIUM

VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

axios@1.15.0axios@0.31.0

CWECWE-441, CWE-918

PublishedApr 9, 2026

Last enriched51d agov2

Tags

CVE-2025-62718

Trending Score48

Source articles5

Independent4

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

MEDIUMCVE-2026-42034EXP

Axios: HTTP adapter streamed uploads bypass maxBodyLength when maxRedirects: 0

HIGHCVE-2026-42033EXP

Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking

HIGHCVE-2026-44490EXP

axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions

HIGHCVE-2026-42035EXP

Axios: Header Injection via Prototype Pollution

HIGHCVE-2026-42043

Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 9, 2026

Discovered by ZDM

Apr 9, 2026

Updated: description, severity, activelyExploited, patchAvailable, tags

Apr 9, 2026

Actively Exploited

Apr 16, 2026

Patch Available

Apr 16, 2026

Version History

v2

Last enriched 51d ago

v2Tier C51d ago

Updated severity to CRITICAL, added CVE-2025-62718, and changed exploit availability status.

descriptionseverityactivelyExploitedpatchAvailabletags

via VulDB

v151d ago

Initial creation