logo

Database

Server-side request forgery (SSRF) In axios

Description

Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy.

This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services.

According to RFC 1034 §3.1 and RFC 3986 §3.2.2, a hostname can have a trailing dot to show it is a fully qualified domain name (FQDN). At the DNS level, localhost. is the same as localhost. However, Axios does a literal string comparison instead of normalizing hostnames before checking NO_PROXY. This causes requests like http://localhost.:8080/ and http://[::1]:8080/ to be incorrectly proxied.

This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections.

PoC

import http from "http";
import axios from "axios";

const proxyPort = 5300;

http.createServer((req, res) => {
  console.log("[PROXY] Got:", req.method, req.url, "Host:", req.headers.host);
  res.writeHead(200, { "Content-Type": "text/plain" });...

Expected: Requests bypass the proxy (direct to loopback). Actual: Proxy logs requests for localhost. and [::1].

Impact

    Applications that rely on NO_PROXY=localhost,127.0.0.1,::1 for protecting loopback/internal access are vulnerable.

    Attackers controlling request URLs can:

      Force Axios to send local traffic through an attacker-controlled proxy.

      Bypass SSRF mitigations relying on NO_PROXY rules.

      Potentially exfiltrate sensitive responses from internal services via the proxy.

Affected Versions

    Confirmed on Axios 1.12.2 (latest at time of testing).

    affects all versions that rely on Axios’ current NO_PROXY evaluation.

Remediation Axios should normalize hostnames before evaluating NO_PROXY, including:

    Strip trailing dots from hostnames (per RFC 3986).

    Normalize IPv6 literals by removing brackets for matching.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-627182. NVD-2025-627183. OSV-2025-627184. OSV-DEBIAN-2025-627185. GHSA-3p68-rc4w-qgx56. GCVE-2025-627187. SECURITY-TRACKER-CVE-2025-62718

References

1. https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx52. https://github.com/axios/axios/pull/106613. https://github.com/axios/axios/pull/106884. https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c5. https://github.com/axios/axios/commit/fb3befb6daac6cad26b2e54094d0f2d9e47f24df6. https://datatracker.ietf.org/doc/html/rfc1034#section-3.17. https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.28. https://github.com/axios/axios/releases/tag/v0.31.09. https://github.com/axios/axios/releases/tag/v1.15.0

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.