A newly discovered vulnerability in the widely-used JavaScript library ‘Axios’ could leave millions of users at risk of Server-Side Request Forgery (SSRF) and credential leakage.
Axios, a popular HTTP client library for Node.js and browsers, has been found to contain a security flaw that could allow attackers to send requests to internal network resources or leak sensitive information. The vulnerability, identified as CVE-2025-27152 with a CVSSv4 score of 7.7, affects all versions of Axios up to and including 1.7.9.
The flaw stems from how Axios handles absolute URLs in requests. Even when a baseURL is set, Axios will send the request to the specified absolute URL, potentially bypassing security measures and allowing attackers to access unintended resources.
Impact:
- Credential Leakage: Sensitive API keys or credentials configured in Axios could be exposed to unintended third-party hosts.
- SSRF (Server-Side Request Forgery): Attackers could exploit this vulnerability to send requests to other internal hosts on the network where the Axios program is running.
Affected Users:
Software that uses baseURL and does not validate path parameters is particularly vulnerable. Given Axios’s popularity, with over 251 million downloads per month, the potential impact of this vulnerability is significant.
Remediation:
Developers and organizations using Axios are urged to update to the patched version 1.8.2 or later immediately. Additionally, validating path parameters and avoiding the use of absolute URLs in Axios requests can help mitigate the risk.
For a detailed proof-of-concept (PoC) and technical analysis of the vulnerability, please refer to the security advisory.
