SSRF Vulnerability in Axios HTTP Client for Browser and Node.js
CVE-2025-27152
Key Information:
- Vendor
- AxiOS
- Status
- AxiOS
- Vendor
- CVE Published:
- 7 March 2025
Badges
What is CVE-2025-27152?
CVE-2025-27152 refers to a vulnerability identified in the Axios HTTP client, which is widely utilized for making HTTP requests in both browser and Node.js environments. Axios is designed to simplify communication with web services, but this particular vulnerability arises when developers pass absolute URLs instead of protocol-relative URLs. Such a misconfiguration can expose organizations to Server-Side Request Forgery (SSRF) attacks, which could lead to unauthorized access to internal systems and sensitive data leakage. As Axios is frequently integrated into various applications, the implications of this vulnerability could be far-reaching, potentially compromising user credentials and sensitive information.
Technical Details
This vulnerability stems from how Axios handles requests when a developer specifies an absolute URL. Regardless of whether a baseURL
has been defined, Axios will direct the request to the provided absolute URL. This behavior can be exploited by malicious actors to manipulate request routing, potentially leading to SSRF attacks. SSRF vulnerabilities allow attackers to send crafted requests from the server, which may permit access to internal resources typically protected by firewalls. The issue affects both server-side and client-side usage of Axios, highlighting the necessity for correct API endpoint configurations.
Potential Impact of CVE-2025-27152
-
Unauthorized Internal Resource Access: Attackers exploiting this vulnerability can gain access to internal systems and services, which are not usually exposed to the public internet. This can lead to unauthorized data exposure or manipulation of critical services.
-
Sensitive Data Leakage: Due to the potential for SSRF, sensitive information such as database contents, service credentials, or API keys could be leaked. This leakage can have catastrophic consequences for an organization's security posture.
-
Compromised User Credentials: As Axios is often used to make requests that may include user credentials, a successful exploitation could lead to a situation where attackers can capture these credentials, leading to further exploitation of accounts and systems.
Affected Version(s)
axios < 1.8.2
Get notified when SecurityVulnerability.io launches alerting π
Well keep you posted π§
News Articles

Java Axios Package Vulnerability Threatens Millions of Servers with SSRF Exploit
A critical security issue has been identified in the Axios package for JavaScript, which poses significant risks to millions of servers.
2 weeks ago
References
CVSS V4
Timeline
- π₯
Vulnerability reached the number 1 worldwide trending spot
- π°
First article discovered by GBHackers News
- π
Vulnerability started trending
Vulnerability published
Vulnerability Reserved