Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF
- Severity:
- Medium
Description
Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy.
Recommendation
Update the axios package to the latest compatible version. Followings are version details:
Affected version(s): **< 0.31.0 >= 1.0.0, < 1.15.0** Patched version(s): **0.31.0 1.15.0**
References
- GHSA-3p68-rc4w-qgx5
- datatracker.ietf.org
- CVE-2025-62718
- CWE-441
- CWE-918
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A10
- OWASP 2021-A6
Related Issues
- Astro's bypass of image proxy domain validation leads to SSRF and potential XSS - CVE-2025-59837
- @octokit/request-error has a Regular Expression in index that Leads to ReDoS Vulnerability Due to Catastrophic Backtrack - CVE-2025-25289
- @octokit/endpoint has a Regular Expression in parse that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking - CVE-2025-25285
- Axios: no_proxy bypass via IP alias allows SSRF - CVE-2026-42038
You might also like:
- Tags:
- npm
- axios
Anything's wrong? Let us know Last updated on April 16, 2026