Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Ax

Severity:: High

Description

1. Executive Summary This report documents an incomplete security patch for the previously disclosed vulnerability GHSA-3p68-rc4w-qgx5 (CVE-2025-62718), which affects the NO_PROXY hostname resolution logic in the Axios HTTP library.

Recommendation

Update the axios package to the latest compatible version. Followings are version details:

Affected version(s): **<= 0.31.0 >= 1.0.0, < 1.15.1**
Patched version(s): **0.31.1 1.15.1**

References

GHSA-pmwg-cvhr-8vh7
CVE-2026-42043
CWE-183
CWE-441
CWE-918
CAPEC-310
OWASP 2021-A1
OWASP 2021-A10
OWASP 2021-A4
OWASP 2021-A6

Related Issues

Cloudflare has SSRF via redirect following through its image-binding-transform endpoint (incomplete fix for GHSA-qpr4) - CVE-2026-41321
Axios: no_proxy bypass via IP alias allows SSRF - CVE-2026-42038
Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF - CVE-2025-62718
Neotoma: Unauthenticated Inspector/API access via reverse-proxy loopback auth bypass - CVE-2026-45577

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; axios

Anything's wrong? Let us know Last updated on May 05, 2026