9.9 CVE-2025-62718

Enriched by CISA Patch Exploit

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0 and 0.31.0.
https://nvd.nist.gov/vuln/detail/CVE-2025-62718

Categories

CWE-441 : Unintended Proxy or Intermediary ('Confused Deputy')
The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor. This weakness is sometimes referred to as the "Confused deputy" problem, in which an attacker misuses the authority of one victim (the "confused deputy") to use that victim's legitimate (restricted) capabilities to target another victim. Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) Enforce the use of strong mutual authentication mechanism between the two parties. Whenever a product is an intermediary or proxy fortransactions between two other components, the proxy coreshould not drop the identity of the initiator of thetransaction. The immutability of the identity of theinitiator must be maintained and should be forwarded all theway to the target. FTP bounce attack. The design of the protocol allows an attacker to modify the PORT command to cause the FTP server to connect to other machines besides the attacker's. RPC portmapper could redirect service requests from an attacker to another entity, which thinks the requests came from the portmapper. FTP server does not ensure that the IP address in a PORT command is the same as the FTP user's session, allowing port scanning by proxy. Web server allows attackers to request a URL from another server, including other ports, which allows proxied scanning. CGI script accepts and retrieves incoming URLs. Bounce attack allows access to TFTP from trusted side. Web-based mail program allows internal network scanning using a modified POP3 port number. URL-downloading library automatically follows redirects to file:// and scp:// URLs

References

134c704f-9b21-4f2e-91b3-4a467353bcc0 Exploit

https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5 Exploit Mitigation Vendor Advisory

security-advisories@github.com Patch Exploit

https://datatracker.ietf.org/doc/html/rfc1034#section-3.1 Technical Description
https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2 Technical Description
https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c Patch
https://github.com/axios/axios/commit/fb3befb6daac6cad26b2e54094d0f2d9e47f24df Patch
https://github.com/axios/axios/pull/10661 Issue Tracking Patch
https://github.com/axios/axios/pull/10688 Issue Tracking
https://github.com/axios/axios/releases/tag/v0.31.0 Release Notes
https://github.com/axios/axios/releases/tag/v1.15.0 Product Release Notes
https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5 Exploit Mitigation Vendor Advisory

AFFECTED (from MITRE)

Vendor	Product	Versions
axios	axios	>= 1.0.0, < 1.15.0 [affected] < 0.31.0 [affected]
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

CPE

cpe	start	end
Configuration 1
cpe:2.3:a:axios:axios::::::node.js::*		< 1.15.0

REMEDIATION

Patch

Url
https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c
https://github.com/axios/axios/commit/fb3befb6daac6cad26b2e54094d0f2d9e47f24df
https://github.com/axios/axios/pull/10661

EXPLOITS

Exploit-db.com

id	description	date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5
https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5

CAPEC

Common Attack Pattern Enumerations and Classifications

id	description	severity
219	XML Routing Detour Attacks An attacker subverts an intermediate system used to process XML content and forces the intermediate to modify and/or re-route the processing of the content. XML Routing Detour Attacks are Adversary in the Middle type attacks (CAPEC-94). The attacker compromises or inserts an intermediate system in the processing of the XML message. For example, WS-Routing can be used to specify a series of nodes or intermediaries through which content is passed. If any of the intermediate nodes in this route are compromised by an attacker they could be used for a routing detour attack. From the compromised system the attacker is able to route the XML process to other nodes of their choice and modify the responses so that the normal chain of processing is unaware of the interception. This system can forward the message to an outside entity and hide the forwarding and processing from the legitimate processing systems by altering the header information. [Survey the target] Using command line or an automated tool, an attacker records all instances of web services to process XML requests. [Identify SOAP messages that have multiple state processing.] Inspect instance to see whether the XML processing has multiple stages or not. [Launch an XML routing detour attack] The attacker injects a bogus routing node (using a WS-Referral service) into the routing table of the XML header of the SOAP message identified in the Explore phase. Thus, the attacker can route the XML message to the attacker controlled node (and access the message contents).	Medium
465	Transparent Proxy Abuse A transparent proxy serves as an intermediate between the client and the internet at large. It intercepts all requests originating from the client and forwards them to the correct location. The proxy also intercepts all responses to the client and forwards these to the client. All of this is done in a manner transparent to the client.	Medium

MITRE

Techniques

id	description
T1090.001	Proxy: Internal Proxy
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Mitigations

id	description
M1031	Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific C2 protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.
© 2022 The MITRE Corporation. Esta obra se reproduce y distribuye con el permiso de The MITRE Corporation.

Cybersecurity needs ?

Strengthen software security from the outset with our DevSecOps expertise

Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.

Discover this offer

Soutenez No Hack Me sur Tipeee