axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL

Description

A previously reported issue in axios demonstrated that using protocol-relative URLs could lead to SSRF (Server-Side Request Forgery). Reference: axios/axios#6463

A similar problem that occurs when passing absolute URLs rather than protocol-relative URLs to axios has been identified.

Recommendation

Update the axios package to the latest compatible version. Followings are version details:

• Affected version(s): **< 0.30.0

  >= 1.0.0, < 1.8.2**

• Patched version(s): **0.30.0

  1.8.2**

References

• GHSA-jr5f-v2jv-69x6
• CVE-2025-27152
• CWE-918
• CAPEC-310
• OWASP 2021-A10
• OWASP 2021-A6

Related Issues

• SvelteKit is vulnerable to denial of service and possible SSRF when using prerendering - CVE-2025-67647
• `undici.request` vulnerable to SSRF using absolute URL on `pathname` - CVE-2022-35949
• SvelteKit is vulnerable to denial of service and possible SSRF when using prerendering (GHSA-j62c-4x62-9r35) - CVE-2025-67647
• Parse Server is vulnerable to Server-Side Request Forgery (SSRF) via Instagram OAuth Adapter - CVE-2025-68150

Tags:

npm

axios