Axios NO_PROXY Hostname Normalization Bypass Leads to SSRF

Axios, a popular HTTP client for Node.js, is susceptible to a NO_PROXY bypass vulnerability due to incorrect hostname normalization. This flaw, confirmed in version 1.12.2 and affecting all versions prior to 1.15.0, arises from the application’s failure to properly handle hostnames with trailing dots (e.g., localhost.) or IPv6 literals (e.g., [::1]) when evaluating NO_PROXY rules. Instead of performing normalization as recommended by RFC standards, Axios conducts literal string comparisons. This oversight allows attackers to circumvent intended NO_PROXY configurations and force requests through an attacker-controlled proxy, even when loopback or internal services are meant to be protected. The vulnerability could be exploited to bypass SSRF mitigations, potentially enabling exfiltration of sensitive information.

Attack Chain

1. The attacker identifies an application using a vulnerable version of Axios and relies on NO_PROXY for loopback protection.
2. The attacker crafts a malicious URL targeting a loopback address (e.g., http://localhost.:8080/ or http://[::1]:8080/).
3. The vulnerable Axios instance processes the URL without proper hostname normalization.
4. Due to the lack of normalization, the NO_PROXY check fails to recognize localhost. or [::1] as loopback addresses.
5. Axios incorrectly routes the request through a configured proxy server, which could be controlled by the attacker.
6. The attacker-controlled proxy receives the request and can forward it to the intended internal service.
7. The internal service responds to the proxy.
8. The attacker-controlled proxy captures the response data, potentially containing sensitive information, and can exfiltrate it.

Impact

Applications that depend on NO_PROXY settings to safeguard loopback or internal access are vulnerable to SSRF attacks. Attackers can exploit this flaw to force Axios to send local traffic through an attacker-controlled proxy server. This bypasses SSRF mitigations that rely on NO_PROXY rules, allowing the potential exfiltration of sensitive information from internal services via the compromised proxy. The number of affected applications is potentially large, given the widespread use of Axios in Node.js environments. Successful exploitation could lead to unauthorized access to sensitive internal resources and data breaches.

Recommendation

• Upgrade Axios to version 1.15.0 or later to address the vulnerability (CVE-2025-62718).
• Deploy the Sigma rule Detect Axios SSRF via NO_PROXY Bypass to identify attempts to exploit this vulnerability.
• Inspect web server logs for requests containing loopback addresses with trailing dots or bracketed IPv6 literals to identify potential exploitation attempts.