QwikSec

Security Database

CVE

CWE

Training

CVE-2025-62718

Published: Apr 9, 2026

Modified: Apr 16, 2026

PUBLISHED

Description

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0 and 0.31.0.

Vendor	Product	Versions
axios	axios	affected `>= 1.0.0, < 1.15.0` affected `< 0.31.0`

Weaknesses (CWE)

References

https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5

x_refsource_CONFIRM

https://github.com/axios/axios/pull/10661

x_refsource_MISC

https://github.com/axios/axios/pull/10688

x_refsource_MISC

https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c

x_refsource_MISC

https://github.com/axios/axios/commit/fb3befb6daac6cad26b2e54094d0f2d9e47f24df

x_refsource_MISC

https://datatracker.ietf.org/doc/html/rfc1034#section-3.1

x_refsource_MISC

https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2

x_refsource_MISC

https://github.com/axios/axios/releases/tag/v0.31.0

x_refsource_MISC

https://github.com/axios/axios/releases/tag/v1.15.0

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.