VulniosVulnios
All Threat Alerts
criticalCVE Alert
CVE-2025-62718

Critical Vulnerability: CVE-2025-62718 — axios — axios

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This is

Tuesday, April 14, 2026axiosVulnios Threat Intelligence
Share:

Executive Summary

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0 and 0.31.0.

Why It Matters

CVE-2025-62718 is rated CRITICAL severity, requiring immediate attention from security teams.

CVSS Base Score: 9.9/10

EPSS (Exploit Prediction): 0.0% probability of exploitation in the next 30 days.

Affected Technologies

Vendors: axios

Products: axios

🛡️What Defenders Should Check

  • Check if you are affected — Review your asset inventory for products listed in CVE-2025-62718.
  • Apply available patches — Visit vendor advisories for the latest security updates.
  • Monitor for exploitation — Check your SIEM/IDS logs for related indicators.

    • Use Vulnios to continuously monitor your exposure to CVE-2025-62718 and similar vulnerabilities.

    References & Sources

  • https://datatracker.ietf.org/doc/html/rfc1034#section-3.1
  • https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2
  • https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c
  • https://github.com/axios/axios/commit/fb3befb6daac6cad26b2e54094d0f2d9e47f24df
  • https://github.com/axios/axios/pull/10661
  • https://github.com/axios/axios/pull/10688
  • https://github.com/axios/axios/releases/tag/v0.31.0
  • https://github.com/axios/axios/releases/tag/v1.15.0
  • https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5
  • https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5

    • AI Security Advisor

    Powered by Gemini

    Get AI-powered security recommendations tailored to this specific threat — including risk assessment, detection guidance, MITRE ATT&CK mapping, and actionable remediation steps.

    Affected Products

    axios

    Sources

    critical

    Protect Your Organization

    Monitor CVEs, scan for vulnerabilities, and get real-time threat alerts — all in one platform.

    Get Started FreeFree Security ScanOSINT Dashboard

    Get instant alerts on Telegram

    Join our public channel for real-time critical CVE alerts.

    Follow @vulnios