PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-62718 axios CVE debrief

CVE-2025-62718 describes a proxy-bypass weakness in Axios' NO_PROXY handling. When hostname normalization is incorrect, requests aimed at loopback-style targets such as localhost. with a trailing dot or [::1] can fail to match NO_PROXY and be sent through the configured proxy instead. In environments that rely on proxy rules to keep loopback or internal traffic local, this can create SSRF-style exposure to sensitive services.

Vendor
axios
Product
Unknown
CVSS
MEDIUM 6.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-09
Original CVE updated
2026-05-21
Advisory published
2026-04-09
Advisory updated
2026-05-21

Who should care

Teams running Axios in Node.js environments where outbound traffic is controlled by proxy settings, especially if applications call localhost, loopback literals, or internal hosts protected by NO_PROXY.

Technical summary

The issue is a hostname normalization and comparison problem in Axios' proxy exclusion logic. The advisory states that prior to 1.15.0 and 0.31.0, loopback addresses such as localhost. (with a trailing dot) and [::1] may skip NO_PROXY matching and be routed through the configured proxy. The source references RFC 1034 and RFC 3986, which are relevant to hostname and URI parsing, and the fix was shipped in Axios releases v0.31.0 and v1.15.0.

Defensive priority

Medium, with higher urgency for applications that depend on NO_PROXY to protect loopback or internal services from proxy routing.

Recommended defensive actions

  • Upgrade Axios to 1.15.0 or later on the 1.x line, or to 0.31.0 on the legacy line, as indicated by the advisory and release notes.
  • Audit applications that use Axios with proxy environment variables and verify that NO_PROXY includes the internal and loopback targets you expect to stay local.
  • Test requests to loopback-style destinations, including localhost. and [::1], to confirm they are not routed through an upstream proxy.
  • Review any code paths that fetch metadata, admin endpoints, or internal APIs over HTTP from Node.js services using Axios.
  • If immediate upgrade is not possible, apply a compensating control that prevents proxy use for sensitive internal destinations and validate the effective routing behavior.

Evidence notes

The CVE record and NVD entry identify the issue as analyzed and published on 2026-04-09, with the latest modification on 2026-05-21. The supplied description states the affected versions are prior to 1.15.0 and 0.31.0 and that the bug causes NO_PROXY mismatches for loopback-style hostnames. NVD metadata lists related references to RFC 1034, RFC 3986, Axios patches, issue tracking, and release notes, supporting the normalization and remediation context. NVD also maps the affected Axios Node.js CPE ranges ending before 0.31.0 and 1.15.0.

Official resources

Published by the CVE record on 2026-04-09 and last modified on 2026-05-21; the source metadata points to fixes in Axios v0.31.0 and v1.15.0.