Critical SSRF Flaw Discovered in Axios – CVE-2025-62718 (CVSS 9.3)

In the complex architecture of modern web applications, the difference between a secure internal request and a data leak can sometimes come down to a single character. Security researchers have uncovered a critical vulnerability in Axios, one of the most popular Promise-based HTTP clients for Node.js and the browser, that allows attackers to bypass core security protections.

The flaw, tracked as CVE-2025-62718, carries a CVSS score of 9.3, signaling a high-priority emergency for developers relying on NO_PROXY settings to safeguard their internal infrastructure.

At the heart of the issue is a failure in hostname normalization. Developers frequently use the NO_PROXY environment variable to ensure that traffic meant for the local machine or internal services (like localhost or 127.0.0.1) stays within the protected local network and does not travel through an external proxy server.

However, Axios was found to perform a literal string comparison rather than normalizing hostnames before checking them against NO_PROXY rules.

Attackers can exploit this oversight using two primary methods to trick Axios into ignoring its safety rules:

• According to DNS standards (RFC 1034), a hostname can include a trailing dot (e.g., localhost.) to signify it is a fully qualified domain name (FQDN). While functionally identical to localhost, Axios does not recognize localhost. as a match for a NO_PROXY=localhost rule.
• Requests made to IPv6 loopback addresses, such as [::1], are similarly misinterpreted, causing them to skip NO_PROXY matching entirely.

When these “loopback” requests skip the NO_PROXY filter, they are incorrectly routed through the configured proxy server. This “normalization bypass” opens the door to several severe security risks:

1. Server-Side Request Forgery (SSRF): Attackers controlling request URLs can force Axios to reach out to sensitive internal services or loopback addresses that were supposed to be protected.
2. Mitigation Bypass: Many organizations rely on NO_PROXY as a primary defense against SSRF; this flaw effectively renders those defenses useless.
3. Data Exfiltration: Sensitive responses from internal services—which may contain credentials, configuration data, or private user info—can be inadvertently sent through an attacker-controlled proxy, allowing for silent exfiltration.

The vulnerability has been confirmed in Axios 1.12.2 and is believed to affect all versions that rely on the current logic for NO_PROXY evaluation.

Developers are urged to take immediate action:

• Audit Your Configurations: Identify any internal applications that rely on NO_PROXY for loopback protection.
• Upgrade: Check for the latest security patches from the Axios maintainers that implement proper hostname normalization.
• Manual Normalization: Until a patch is applied, consider manually normalizing or validating URLs before passing them to Axios to ensure they do not contain trailing dots or unrecognized IPv6 formats.