axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL

Description

A previously reported issue in axios demonstrated that using protocol-relative URLs could lead to SSRF (Server-Side Request Forgery). Reference: axios/axios#6463

A similar problem that occurs when passing absolute URLs rather than protocol-relative URLs to axios has been identified.

Recommendation

Update the axios package to the latest compatible version. Followings are version details:

• Affected version(s): **< 0.30.0

  >= 1.0.0, < 1.8.2**

• Patched version(s): **0.30.0

  1.8.2**

References

• GHSA-jr5f-v2jv-69x6
• CVE-2025-27152
• CWE-918
• CAPEC-310
• OWASP 2021-A10
• OWASP 2021-A6

Related Issues

• webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior - CVE-2025-68458
• SvelteKit is vulnerable to denial of service and possible SSRF when using prerendering - @sveltejs/adapter-node - CVE-2025-67647
• Parse Server is vulnerable to Server-Side Request Forgery (SSRF) via Instagram OAuth Adapter - CVE-2025-68150
• Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass - CVE-2025-64525

You might also like:

CSRF, XXE, and 12 Other Security Acronyms Explained

10 Secure Coding Best Practices to Follow in Every Project

Update Cheat Sheet for Developers

Tags:

npm

axios