{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/axios/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"id":"CVE-2025-62718"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["ssrf","no_proxy","axios","hostname_normalization"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAxios, a popular HTTP client for Node.js, is susceptible to a NO_PROXY bypass vulnerability due to incorrect hostname normalization. This flaw, confirmed in version 1.12.2 and affecting all versions prior to 1.15.0, arises from the application\u0026rsquo;s failure to properly handle hostnames with trailing dots (e.g., \u003ccode\u003elocalhost.\u003c/code\u003e) or IPv6 literals (e.g., \u003ccode\u003e[::1]\u003c/code\u003e) when evaluating \u003ccode\u003eNO_PROXY\u003c/code\u003e rules.  Instead of performing normalization as recommended by RFC standards, Axios conducts literal string comparisons. This oversight allows attackers to circumvent intended \u003ccode\u003eNO_PROXY\u003c/code\u003e configurations and force requests through an attacker-controlled proxy, even when loopback or internal services are meant to be protected. The vulnerability could be exploited to bypass SSRF mitigations, potentially enabling exfiltration of sensitive information.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an application using a vulnerable version of Axios and relies on \u003ccode\u003eNO_PROXY\u003c/code\u003e for loopback protection.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious URL targeting a loopback address (e.g., \u003ccode\u003ehttp://localhost.:8080/\u003c/code\u003e or \u003ccode\u003ehttp://[::1]:8080/\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe vulnerable Axios instance processes the URL without proper hostname normalization.\u003c/li\u003e\n\u003cli\u003eDue to the lack of normalization, the \u003ccode\u003eNO_PROXY\u003c/code\u003e check fails to recognize \u003ccode\u003elocalhost.\u003c/code\u003e or \u003ccode\u003e[::1]\u003c/code\u003e as loopback addresses.\u003c/li\u003e\n\u003cli\u003eAxios incorrectly routes the request through a configured proxy server, which could be controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker-controlled proxy receives the request and can forward it to the intended internal service.\u003c/li\u003e\n\u003cli\u003eThe internal service responds to the proxy.\u003c/li\u003e\n\u003cli\u003eThe attacker-controlled proxy captures the response data, potentially containing sensitive information, and can exfiltrate it.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eApplications that depend on \u003ccode\u003eNO_PROXY\u003c/code\u003e settings to safeguard loopback or internal access are vulnerable to SSRF attacks. Attackers can exploit this flaw to force Axios to send local traffic through an attacker-controlled proxy server. This bypasses SSRF mitigations that rely on \u003ccode\u003eNO_PROXY\u003c/code\u003e rules, allowing the potential exfiltration of sensitive information from internal services via the compromised proxy.  The number of affected applications is potentially large, given the widespread use of Axios in Node.js environments. Successful exploitation could lead to unauthorized access to sensitive internal resources and data breaches.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Axios to version 1.15.0 or later to address the vulnerability (CVE-2025-62718).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Axios SSRF via NO_PROXY Bypass\u003c/code\u003e to identify attempts to exploit this vulnerability.\u003c/li\u003e\n\u003cli\u003eInspect web server logs for requests containing loopback addresses with trailing dots or bracketed IPv6 literals to identify potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T17:32:19Z","date_published":"2026-04-09T17:32:19Z","id":"/briefs/2024-01-axios-ssrf/","summary":"Axios is vulnerable to a NO_PROXY hostname normalization bypass leading to SSRF, where requests to loopback addresses like `localhost.` or `[::1]` bypass `NO_PROXY` rules, allowing attackers to force requests through a proxy and potentially exfiltrate sensitive data.","title":"Axios NO_PROXY Hostname Normalization Bypass Leads to SSRF","url":"https://feed.craftedsignal.io/briefs/2024-01-axios-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — Axios","version":"https://jsonfeed.org/version/1.1"}