axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL
- Severity:
- High
Description
A previously reported issue in axios demonstrated that using protocol-relative URLs could lead to SSRF (Server-Side Request Forgery). Reference: axios/axios#6463
A similar problem that occurs when passing absolute URLs rather than protocol-relative URLs to axios has been identified.
Recommendation
Update the axios package to the latest compatible version. Followings are version details:
Affected version(s): **< 0.30.0 >= 1.0.0, < 1.8.2** Patched version(s): **0.30.0 1.8.2**
References
Related Issues
- Axios is vulnerable to DoS attack through lack of data size check - CVE-2025-58754
- snowflake-sdk may incorrectly validate temporary credential cache file permissions - CVE-2025-24791
- @workos-inc/authkit-remix refresh tokens are logged when the debug flag is enabled - CVE-2024-51753
- @saltcorn/server arbitrary file zip read and download when downloading auto backups - Vulnerability
- Tags:
- npm
- axios
Anything's wrong? Let us know Last updated on March 28, 2025