SCA: security update for axios (GHSA-3p68-rc4w-qgx5)

medium Tenable Self-Hosted Container Security Plugin ID 440122

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does
not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses
like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the
configured proxy. This goes against what developers expect and lets attackers force requests through a
proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the
possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or
internal services despite the configured protections. This vulnerability is fixed in 1.15.0 and 0.31.0.
(CVE-2025-62718)

Solution

Update the axios library and its related packages to version 0.31.0 or later.

See Also

https://github.com/advisories/GHSA-3p68-rc4w-qgx5

Plugin Details

Severity: Medium

ID: 440122

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 4/9/2026

Updated: 7/7/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.4

Percentile: 96.89

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:P/A:P

CVSS Score Source: CVE-2025-62718

CVSS v3

Risk Factor: Critical

Base Score: 9.9

Temporal Score: 8.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.3

Threat Score: 2.9

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/9/2026

Vulnerability Publication Date: 4/9/2026

Reference Information

CVE: CVE-2025-62718