Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
6.3

CVE-2025-62718: Axios fails to block proxy requests to internal addresses

CVE-2025-62718 GHSA-3p68-rc4w-qgx5 GHSA-3p68-rc4w-qgx5
Summary

If you use Axios to make requests to internal services like localhost, a malicious actor could potentially bypass security settings and access those services. This is because Axios doesn't correctly block requests to internal addresses until version 1.15.0. Update to a newer version of Axios to fix this issue.

What to do
  • Update GitHub Actions axios to version 1.15.0.
  • Update axios to version 1.15.0.
  • Update axios to version 0.31.0.
Affected software
Ecosystem VendorProductAffected versions
npm GitHub Actions axios < 1.15.0
Fix: upgrade to 1.15.0
npm axios < 1.15.0
>= 1.0.0, < 1.15.0
< 0.31.0
Fix: upgrade to 1.15.0
axios axios < 1.15.0
< 0.31.0
>= 1.0.0, < 1.15.0
cpe:2.3:a:axios:axios:*:*:*:*:*:node.js:*:*
Original title
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopba...
Original description
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0 and 0.31.0.
nvd CVSS4.0 9.3
Vulnerability type
CWE-441
CWE-918 Server-Side Request Forgery (SSRF)
Published: 9 Apr 2026 · Updated: 3 Jul 2026 · First seen: 9 Apr 2026