Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF
- Severity:
- Medium
Description
Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy.
Recommendation
Update the axios package to the latest compatible version. Followings are version details:
Affected version(s): **< 0.31.0 >= 1.0.0, < 1.15.0** Patched version(s): **0.31.0 1.15.0**
References
- GHSA-3p68-rc4w-qgx5
- datatracker.ietf.org
- CVE-2025-62718
- CWE-441
- CWE-918
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A10
- OWASP 2021-A6
Related Issues
- Astro's bypass of image proxy domain validation leads to SSRF and potential XSS - CVE-2025-59837
- @octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtrac - CVE-2025-25290
- @octokit/request-error has a Regular Expression in index that Leads to ReDoS Vulnerability Due to Catastrophic Backtrack - CVE-2025-25289
- Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Ax - CVE-2026-42043
You might also like:
- Tags:
- npm
- axios
Anything's wrong? Let us know Last updated on April 16, 2026


