CVE-2025-62718
Published: 09 April 2026
Summary
CVE-2025-62718 is a critical-severity Confused Deputy (CWE-441) vulnerability in Axios Axios. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the Axios hostname normalization flaw by requiring timely remediation through upgrades to patched versions 1.15.0 or 0.31.0.
Prevents SSRF exploitation by validating and sanitizing user-supplied hostnames and URLs before passing them to the Axios HTTP client.
Mitigates SSRF impact by monitoring and controlling communications at system boundaries to block unauthorized access to loopback or internal services.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct SSRF via NO_PROXY bypass in public-facing Axios usage enables remote exploitation of applications per T1190.
NVD Description
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1]…
more
(IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0 and 0.31.0.
Deeper analysisAI
CVE-2025-62718 affects Axios, a promise-based HTTP client used in browsers and Node.js environments, in versions prior to 1.15.0 and 0.31.0. The vulnerability stems from improper hostname normalization during NO_PROXY rule checks, causing requests to loopback addresses such as "localhost." (with a trailing dot) or "[::1]" (IPv6 loopback literal) to bypass NO_PROXY matching and route through the configured proxy instead. This behavior contradicts developer expectations for protecting loopback or internal services via NO_PROXY, enabling proxy bypass and server-side request forgery (SSRF) risks, as classified under CWE-441 (Unintended Proxy or Client-side Proxy) and CWE-918 (SSRF). The issue carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L).
Remote, unauthenticated attackers can exploit this vulnerability by crafting requests with specially formatted hostnames that evade NO_PROXY checks, forcing Axios-based applications to send traffic through a proxy to otherwise protected loopback or internal endpoints. Exploitation requires the ability to influence HTTP requests made by the affected Axios instance, such as via user-supplied inputs in web applications. Successful attacks allow attackers to achieve SSRF, potentially accessing sensitive internal services, with high confidentiality impact due to changed scope, alongside low integrity and availability effects.
Mitigation is available through upgrading to Axios versions 1.15.0 or 0.31.0, where the issue is fixed via commits such as 03cdfc99e8db32a390e12128208b6778492cee9c and fb3befb6daac6cad26b2e54094d0f2d9e47f24df, as merged in pull request 10661 on the Axios GitHub repository. These changes address hostname normalization per relevant standards documented in RFC 1034 (section 3.1) and RFC 3986 (section 3.2.2). No additional vendor advisories are referenced beyond the GitHub fixes.
Details
- CWE(s)