Attack Chain

1. The attacker identifies an application using a vulnerable version of Axios and relies on NO_PROXY for loopback protection.
2. The attacker crafts a malicious URL targeting a loopback address (e.g., http://localhost.:8080/ or http://[::1]:8080/).
3. The vulnerable Axios instance processes the URL without proper hostname normalization.
4. Due to the lack of normalization, the NO_PROXY check fails to recognize localhost. or [::1] as loopback addresses.
5. Axios incorrectly routes the request through a configured proxy server, which could be controlled by the attacker.
6. The attacker-controlled proxy receives the request and can forward it to the intended internal service.
7. The internal service responds to the proxy.
8. The attacker-controlled proxy captures the response data, potentially containing sensitive information, and can exfiltrate it.

Impact

Applications that depend on NO_PROXY settings to safeguard loopback or internal access are vulnerable to SSRF attacks. Attackers can exploit this flaw to force Axios to send local traffic through an attacker-controlled proxy server. This bypasses SSRF mitigations that rely on NO_PROXY rules, allowing the potential exfiltration of sensitive information from internal services via the compromised proxy. The number of affected applications is potentially large, given the widespread use of Axios in Node.js environments. Successful exploitation could lead to unauthorized access to sensitive internal resources and data breaches.

Recommendation

• Upgrade Axios to version 1.15.0 or later to address the vulnerability (CVE-2025-62718).
• Deploy the Sigma rule Detect Axios SSRF via NO_PROXY Bypass to identify attempts to exploit this vulnerability.
• Inspect web server logs for requests containing loopback addresses with trailing dots or bracketed IPv6 literals to identify potential exploitation attempts.