SSRF Vulnerability in Axios HTTP Client for Browser and Node.js
CVE-2025-27152

7.7HIGH

Key Information:

Vendor
AxiOS
Status
AxiOS
Vendor
CVE Published:
7 March 2025

Badges

πŸ₯‡ Trended No. 1πŸ“ˆ TrendedπŸ“ˆ Score: 14,900πŸ‘Ύ Exploit Exists🟑 Public PoCπŸ“° News Worthy

What is CVE-2025-27152?

CVE-2025-27152 refers to a vulnerability identified in the Axios HTTP client, which is widely utilized for making HTTP requests in both browser and Node.js environments. Axios is designed to simplify communication with web services, but this particular vulnerability arises when developers pass absolute URLs instead of protocol-relative URLs. Such a misconfiguration can expose organizations to Server-Side Request Forgery (SSRF) attacks, which could lead to unauthorized access to internal systems and sensitive data leakage. As Axios is frequently integrated into various applications, the implications of this vulnerability could be far-reaching, potentially compromising user credentials and sensitive information.

Technical Details

This vulnerability stems from how Axios handles requests when a developer specifies an absolute URL. Regardless of whether a baseURL has been defined, Axios will direct the request to the provided absolute URL. This behavior can be exploited by malicious actors to manipulate request routing, potentially leading to SSRF attacks. SSRF vulnerabilities allow attackers to send crafted requests from the server, which may permit access to internal resources typically protected by firewalls. The issue affects both server-side and client-side usage of Axios, highlighting the necessity for correct API endpoint configurations.

Potential Impact of CVE-2025-27152

  1. Unauthorized Internal Resource Access: Attackers exploiting this vulnerability can gain access to internal systems and services, which are not usually exposed to the public internet. This can lead to unauthorized data exposure or manipulation of critical services.

  2. Sensitive Data Leakage: Due to the potential for SSRF, sensitive information such as database contents, service credentials, or API keys could be leaked. This leakage can have catastrophic consequences for an organization's security posture.

  3. Compromised User Credentials: As Axios is often used to make requests that may include user credentials, a successful exploitation could lead to a situation where attackers can capture these credentials, leading to further exploitation of accounts and systems.

Affected Version(s)

axios < 1.8.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

axios-ssrf
Created by andreglock

News Articles

favicon imageGBHackers News

Java Axios Package Vulnerability Threatens Millions of Servers with SSRF Exploit

A critical security issue has been identified in the Axios package for JavaScript, which poses significant risks to millions of servers.

References

https://github.com/axios/axios/security/advisories/GHSA-j...
x_refsource_CONFIRM
https://github.com/axios/axios/issues/6463
x_refsource_MISC

CVSS V4

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • πŸ₯‡

    Vulnerability reached the number 1 worldwide trending spot

  • πŸ“°

    First article discovered by GBHackers News

  • πŸ“ˆ

    Vulnerability started trending

  • Vulnerability published

  • Vulnerability Reserved

.