CVE-2025-62718: Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF

Published Apr 9, 2026
·
Updated

Axios does not correctly handle hostname normalization when checking NOPROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NOPROXY matching and go through the configured proxy.

This goes against what developers expect and lets attackers force requests through a proxy, even if NOPROXY is set up to protect loopback or internal services.

According to RFC 1034 §3.1 and RFC 3986 §3.2.2, a hostname can have a trailing dot to show it is a fully qualified domain name (FQDN). At the DNS level, localhost. is the same as localhost. However, Axios does a literal string comparison instead of normalizing hostnames before checking NOPROXY. This causes requests like http://localhost.:8080/ and http://[::1]:8080/ to be incorrectly proxied.

This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections.

---

PoC

js import http from "http"; import axios from "axios";

const proxyPort = 5300;

http.createServer((req, res) => { console.log("[PROXY] Got:", req.method, req.url, "Host:", req.headers.host); res.writeHead(200, { "Content-Type": "text/plain" }); res.end("proxied"); }).listen(proxyPort, () => console.log("Proxy", proxyPort));

process.env.HTTPPROXY = http://127.0.0.1:${proxyPort}; process.env.NOPROXY = "localhost,127.0.0.1,::1";

async function test(url) { try { await axios.get(url, { timeout: 2000 }); } catch {} }

setTimeout(async () => { console.log("\n[] Testing http://localhost.:8080/"); await test("http://localhost.:8080/"); // goes through proxy

console.log("\n[] Testing http://[::1]:8080/"); await test("http://[::1]:8080/"); // goes through proxy }, 500);

Expected: Requests bypass the proxy (direct to loopback). Actual: Proxy logs requests for localhost. and [::1].

---

Impact

Applications that rely on NOPROXY=localhost,127.0.0.1,::1 for protecting loopback/internal access are vulnerable. Attackers controlling request URLs can:

Force Axios to send local traffic through an attacker-controlled proxy. Bypass SSRF mitigations relying on NO\PROXY rules. Potentially exfiltrate sensitive responses from internal services via the proxy. ---

Affected Versions

Confirmed on Axios 1.12.2 (latest at time of testing). affects all versions that rely on Axios’ current NOPROXY evaluation.

---

Remediation Axios should normalize hostnames before evaluating NOPROXY, including:

Strip trailing dots from hostnames (per RFC 3986). Normalize IPv6 literals by removing brackets for matching.

Other sources

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NOPROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NOPROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NOPROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0 and 0.31.0.

MITRE

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0, Axios does not correctly handle hostname normalization when checking NOPROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NOPROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NOPROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0.

NVD

Affected Software

5 affected componentsFixes available
npm/axios<1.15.0
1.15.0
Axios Axios Node.js<0.31.0
Axios Axios Node.js>=1.0.0<1.15.0
IBM MQ Operator<=SC2: v3.2.0 - v3.2.23 CD:  v3.3.0, v3.4.0, v3.4.1, v3.5.0, v3.5.1 - v3.5.3, v3.6.0 - v3.6.4, v3.7.0 - v3.7.2, v3.8.0, v3.8.1, v3.9.0, v3.9.1 LTS: v2.0.0 - 2.0.29
IBM supplied MQ Advanced container images<=SC2: 9.4.0.6-r1, 9.4.0.6-r2, 9.4.0.7-r1, 9.4.0.10-r1, 9.4.0.10-r2, 9.4.0.11-r1, 9.4.0.11-r2, 9.4.0.11-r3, 9.4.0.12-r1, 9.4.0.15-r1 - 9.4.0.15-r4, 9.4.0.16-r1, 9.4.0.16-r2, 9.4.0.17-r1, 9.4.0.17-r2, 9.4.0.20-r1CD: 9.4.1.0-r1, 9.4.1.0-r2, 9.4.1.1-r1, 9.4.2.0-r1, 9.4.2.0-r2, 9.4.2.1-r1, 9.4.2.1-r2, 9.4.3.0-r1, 9.4.3.0-r2, 9.4.3.1-r1 - 9.4.3.1-r3, 9.4.4.0-r1 - 9.4.4.0-r4, 9.4.4.1-r1, 9.4.5.0-r1, 9.4.5.0-r2LTS: 9.3.0.0-r1, 9.3.0.0-r2, 9.3.0.0-r3, 9.3.0.1-r1, 9.3.0.1-r2, 9.3.0.1-r3, 9.3.0.1-r4, 9.3.0.3-r1, 9.3.0.4-r1, 9.3.0.4-r2, 9.3.0.5-r1, 9.3.0.5-r2, 9.3.0.5-r3, 9.3.0.6-r1, 9.3.0.10-r1, 9.3.0.10-r2, 9.3.0.11-r1,9.3.0.11-r2, 9.3.0.15-r1, 9.3.0.16-r1, 9.3.0.16-r2, 9.3.0.17-r1, 9.3.0.17-r2, 9.3.0.17-r3, 9.3.0.20-r1, 9.3.0.20-r2, 9.3.0.21-r1, 9.3.0.21-r2, 9.3.0.21-r3, 9.3.0.25-r1, 9.4.0.0-r1, 9.4.0.0-r2, 9.4.0.0-r3, 9.4.0.5-r1, 9.4.0.5-r2

Remediation

Patch Available

https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c

Patch Available

https://github.com/axios/axios/commit/fb3befb6daac6cad26b2e54094d0f2d9e47f24df

Patch Available

https://github.com/axios/axios/pull/10661

Event History

Apr 9, 2026
CVE Published
via MITRE·02:31 PM
Data Sourced
via MITRE·02:31 PM
DescriptionWeakness
Data Sourced
via Red Hat·03:02 PM
DescriptionSeverityAffected Software
Data Sourced
via NVD·03:16 PM
RemedyDescriptionSeverityWeaknessAffected Software
Advisory Published
via GitHub·05:32 PM
Data Sourced
via GitHub·05:32 PM
DescriptionWeaknessAffected Software
May 15, 2026
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2025-62718?

CVE-2025-62718 is considered a critical vulnerability due to the potential for Server-Side Request Forgery (SSRF).

2

How do I fix CVE-2025-62718?

To mitigate CVE-2025-62718, upgrade Axios to version 1.15.0 or later.

3

What type of vulnerability is CVE-2025-62718?

CVE-2025-62718 is a hostname normalization bypass that allows SSRF attacks.

4

Which versions of Axios are affected by CVE-2025-62718?

CVE-2025-62718 affects versions of Axios prior to 1.15.0.

5

What is the impact of CVE-2025-62718 on applications using Axios?

CVE-2025-62718 can allow attackers to exploit SSRF vulnerabilities, potentially leading to unauthorized access to internal services.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203