CVE-2025-62718
Proxy Bypass vulnerability in axios (npm)
What is CVE-2025-62718 About?
This vulnerability in Axios allows for incorrect hostname normalization, enabling attackers to bypass 'NO_PROXY' rules. This can lead to Server-Side Request Forgery (SSRF) and force requests through a proxy to sensitive internal services. The exploitation is relatively easy as it relies on specific hostname formats.
Affected Software
Technical Details
Axios fails to correctly handle hostname normalization when evaluating NO_PROXY rules. Specifically, hostnames with a trailing dot (e.g., localhost.) or IPv6 literals (e.g., [::1]) are not normalized before being compared against NO_PROXY entries. This disparity in handling, where a literal string comparison is performed instead of a normalized one, causes requests to these specific formats to incorrectly bypass the NO_PROXY list. As a result, requests that should be rejected or handled directly are instead routed through a configured proxy, potentially allowing attackers to reach internal or loopback services despite security configurations.
What is the Impact of CVE-2025-62718?
Successful exploitation may allow attackers to bypass intended proxy restrictions, leading to Server-Side Request Forgery (SSRF) or unauthorized access to internal network resources and services. Attackers could force internal traffic through an attacker-controlled proxy or exfiltrate sensitive data from internal services.
What is the Exploitability of CVE-2025-62718?
Exploitation requires direct influence over the Axios request URLs, specifically by providing malformed hostnames such as those with trailing dots or IPv6 literals. No authentication is explicitly required if the attacker can dictate the URL. Privilege requirements are low, as the vulnerability lies within how Axios processes hostname resolution. The attack is remote, contingent on the application's exposure and its use of Axios for HTTP requests. The primary constraint is the application's reliance on NO_PROXY rules for internal service protection. Risk factors are increased when applications allow user-controlled input for URLs or when NO_PROXY is a critical component of the application's security architecture.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-62718?
Available Upgrade Options
- axios
- <1.15.0 → Upgrade to 1.15.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/axios/axios/pull/10661
- https://osv.dev/vulnerability/GHSA-3p68-rc4w-qgx5
- https://github.com/axios/axios/pull/10661
- https://github.com/axios/axios
- https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2
- https://github.com/axios/axios/commit/fb3befb6daac6cad26b2e54094d0f2d9e47f24df
- https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2
- https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5
- https://datatracker.ietf.org/doc/html/rfc1034#section-3.1
- https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5
What are Similar Vulnerabilities to CVE-2025-62718?
Similar Vulnerabilities: CVE-2023-45819 , CVE-2023-43646 , CVE-2023-38408 , CVE-2023-38407 , CVE-2023-28155
