CVE-2025-62718

Name: CVE-2025-62718
Creator: NVD / NIST
Published: 2026-04-09T15:16:08.65+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 6.3/10EPSS 1.07%

Last modified Jun 17, 2026

CVE-2025-62718 is a medium-severity vulnerability rated 6.3/10 on the CVSS scale. Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. EPSS estimates a 1.07% chance of exploitation in the next 30 days.

Description

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0 and 0.31.0.

Metrics

CVSS 3.1

9.9/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L

CVSS 4.0

6.3/10

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS Probability

1.07%

60.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Axios	Axios	< 0.31.0
Axios	Axios	>= 1.0.0, < 1.15.0

References

https://datatracker.ietf.org/doc/html/rfc1034#section-3.1Technical Description
https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2Technical Description
https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9cPatch
https://github.com/axios/axios/commit/fb3befb6daac6cad26b2e54094d0f2d9e47f24dfPatch
https://github.com/axios/axios/pull/10661Issue Tracking, Patch
https://github.com/axios/axios/pull/10688Issue Tracking
https://github.com/axios/axios/releases/tag/v0.31.0Release Notes
https://github.com/axios/axios/releases/tag/v1.15.0Product, Release Notes
https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5Exploit, Mitigation, Vendor Advisory
https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5Exploit, Mitigation, Vendor Advisory

Timeline

Published: Apr 9, 2026
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2025-62718?

How severe is CVE-2025-62718?

CVE-2025-62718 has a CVSS score of 6.3/10 (MEDIUM severity). The EPSS model estimates a 1.07% probability of exploitation in the next 30 days.

How do I fix CVE-2025-62718?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2025-62718?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST