CVE-2025-27152 Scanner

Axios is a widely used promise-based HTTP client for both browser and Node.js environments. It is commonly integrated into modern web applications, APIs, and microservices for handling HTTP requests efficiently. Many developers use Axios due to its simplicity, extensive feature set, and security mechanisms. This library plays a crucial role in web development, providing seamless interaction with external and internal APIs. However, security vulnerabilities in Axios can lead to severe application risks, especially in cases where improper request handling occurs. Ensuring the security of Axios implementations is essential for safeguarding applications from exploitation.

This vulnerability in Axios allows Server-Side Request Forgery (SSRF) and credential disclosure due to improper handling of absolute URLs. The issue occurs when absolute URLs are passed instead of protocol-relative URLs, allowing requests to bypass the baseURL setting. As a result, an attacker can manipulate request destinations, leading to unauthorized access to internal resources. Both server-side and client-side Axios implementations are affected, making this a critical security concern. This vulnerability is present in all Axios versions before 1.8.2. Applications using Axios should upgrade immediately to mitigate the risk.

Technical analysis reveals that this flaw originates from Axios’s `allowAbsoluteUrls` attribute being ignored when calling the `buildFullPath` function in the HTTP adapter. This enables attackers to craft malicious requests that override the intended request flow. By leveraging this behavior, an attacker can initiate SSRF attacks by directing Axios to request arbitrary internal endpoints. This may also lead to credential leaks if sensitive resources are accessed. The vulnerability is particularly severe in applications handling confidential data or relying on Axios for secure API communication. Updating to Axios 1.8.2 addresses this issue by enforcing stricter URL validation.

If exploited, this vulnerability can have significant security consequences. Attackers can leverage SSRF to access internal systems, cloud metadata APIs, and sensitive internal resources. This could lead to unauthorized data exfiltration, system compromise, or even full application takeovers. In worst-case scenarios, credentials stored within server responses can be leaked, allowing attackers to escalate privileges. Organizations using Axios should implement strict input validation and upgrade to the patched version immediately. Proper security configurations, such as request allowlisting, can further mitigate risks.

REFERENCES

• https://github.com/axios/axios/security/advisories/GHSA-jr5f-v2jv-69x6
• https://github.com/axios/axios/issues/6463