CVE-2025-27152

High CVSS: 7.7

axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios. This issue is fixed in 1.8.2.

Vendor

Axios

Product

Axios

CWE

CWE-918

Yayın Tarihi

2025-03-07 16:15:38

Güncelleme

2025-11-25 17:58:17

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-918 Axios HIGH Axios 2025

Referanslar

https://github.com/axios/axios/issues/6463 https://github.com/axios/axios/security/advisories/GHSA-jr5f-v2jv-69x6 https://github.com/axios/axios/security/advisories/GHSA-jr5f-v2jv-69x6

Benzer Kayıtlar

High

CVE-2026-25639

Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig f…

High

CVE-2025-58754

Axios is a promise based HTTP client for the browser and Node.js. When Axios starting in version 0.28.0 and prior to ver…

Unknown

CVE-2024-57965

In axios before 1.7.8, lib/helpers/isURLSameOrigin.js does not use a URL object when determining an origin, and has a po…