Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0 and 0.31.0.
https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-62718.json
https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5
https://github.com/axios/axios/releases/tag/v1.15.0
https://github.com/axios/axios/releases/tag/v0.31.0
https://github.com/axios/axios/pull/10688
https://github.com/axios/axios/pull/10661
https://github.com/axios/axios/commit/fb3befb6daac6cad26b2e54094d0f2d9e47f24df
https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c
https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2
https://datatracker.ietf.org/doc/html/rfc1034#section-3.1
https://bugzilla.redhat.com/show_bug.cgi?id=2456913
https://access.redhat.com/security/cve/CVE-2025-62718
https://access.redhat.com/errata/RHSA-2026:9742
https://access.redhat.com/errata/RHSA-2026:8493
https://access.redhat.com/errata/RHSA-2026:8491
https://access.redhat.com/errata/RHSA-2026:8490
https://access.redhat.com/errata/RHSA-2026:8484
https://access.redhat.com/errata/RHSA-2026:8483
https://access.redhat.com/errata/RHSA-2026:36882
https://access.redhat.com/errata/RHSA-2026:26010
https://access.redhat.com/errata/RHSA-2026:24977
https://access.redhat.com/errata/RHSA-2026:24866
https://access.redhat.com/errata/RHSA-2026:24853
https://access.redhat.com/errata/RHSA-2026:24766
https://access.redhat.com/errata/RHSA-2026:24761
https://access.redhat.com/errata/RHSA-2026:24471
https://access.redhat.com/errata/RHSA-2026:23361
https://access.redhat.com/errata/RHSA-2026:22840
https://access.redhat.com/errata/RHSA-2026:22629
https://access.redhat.com/errata/RHSA-2026:22465
https://access.redhat.com/errata/RHSA-2026:21017
https://access.redhat.com/errata/RHSA-2026:20938
https://access.redhat.com/errata/RHSA-2026:20889
https://access.redhat.com/errata/RHSA-2026:19712
https://access.redhat.com/errata/RHSA-2026:19375
https://access.redhat.com/errata/RHSA-2026:17699
https://access.redhat.com/errata/RHSA-2026:17657
https://access.redhat.com/errata/RHSA-2026:16874
https://access.redhat.com/errata/RHSA-2026:14937
https://access.redhat.com/errata/RHSA-2026:13826
Published: 2026-04-09
Updated: 2026-07-10
Base Score: 9
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:P/A:P
Severity: High
Base Score: 9.9
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
Severity: Critical
Base Score: 6.3
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
Severity: Medium
EPSS: 0.00015