Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:npm/axios@1.14.0

Type npm

Namespace

Name axios

Version 1.14.0

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 1.15.0

Latest_non_vulnerable_version 1.15.2

Affected_by_vulnerabilities

url VCID-axk7-6q4b-vuga

vulnerability_id VCID-axk7-6q4b-vuga

summary

Axios has a NO_PROXY Hostname Normalization Bypass Leads to SSRF
Axios does not correctly handle hostname normalization when checking `NO_PROXY` rules.
Requests to loopback addresses like `localhost.` (with a trailing dot) or `[::1]` (IPv6 literal) skip `NO_PROXY` matching and go through the configured proxy.

This goes against what developers expect and lets attackers force requests through a proxy, even if `NO_PROXY` is set up to protect loopback or internal services.

According to [RFC 1034 §3.1](https://datatracker.ietf.org/doc/html/rfc1034#section-3.1) and [RFC 3986 §3.2.2](https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2), a hostname can have a trailing dot to show it is a fully qualified domain name (FQDN). At the DNS level, `localhost.` is the same as `localhost`. 
However, Axios does a literal string comparison instead of normalizing hostnames before checking `NO_PROXY`. This causes requests like `http://localhost.:8080/` and `http://[::1]:8080/` to be incorrectly proxied.

This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections.

---

**PoC**

```js
import http from "http";
import axios from "axios";

const proxyPort = 5300;

http.createServer((req, res) => {
  console.log("[PROXY] Got:", req.method, req.url, "Host:", req.headers.host);
  res.writeHead(200, { "Content-Type": "text/plain" });
  res.end("proxied");
}).listen(proxyPort, () => console.log("Proxy", proxyPort));

process.env.HTTP_PROXY = `http://127.0.0.1:${proxyPort}`;
process.env.NO_PROXY = "localhost,127.0.0.1,::1";

async function test(url) {
  try {
    await axios.get(url, { timeout: 2000 });
  } catch {}
}

setTimeout(async () => {
  console.log("\n[*] Testing http://localhost.:8080/");
  await test("http://localhost.:8080/"); // goes through proxy

  console.log("\n[*] Testing http://[::1]:8080/");
  await test("http://[::1]:8080/"); // goes through proxy
}, 500);
```

**Expected:** Requests bypass the proxy (direct to loopback).
**Actual:** Proxy logs requests for `localhost.` and `[::1]`.

---

**Impact**

* Applications that rely on `NO_PROXY=localhost,127.0.0.1,::1` for protecting loopback/internal access are vulnerable.
* Attackers controlling request URLs can:

  * Force Axios to send local traffic through an attacker-controlled proxy.
  * Bypass SSRF mitigations relying on NO\_PROXY rules.
  * Potentially exfiltrate sensitive responses from internal services via the proxy.
  
  
---

**Affected Versions**

* Confirmed on Axios **1.12.2** (latest at time of testing).
* affects all versions that rely on Axios’ current `NO_PROXY` evaluation.

---

**Remediation**
Axios should normalize hostnames before evaluating `NO_PROXY`, including:

* Strip trailing dots from hostnames (per RFC 3986).
* Normalize IPv6 literals by removing brackets for matching.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-62718.json

reference_id

reference_type

scores

value	7.0
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-62718.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-62718

reference_id

reference_type

scores

value	0.00015
scoring_system	epss
scoring_elements	0.0329
published_at	2026-04-13T12:55:00Z

value	0.00015
scoring_system	epss
scoring_elements	0.0334
published_at	2026-04-11T12:55:00Z

value	0.00015
scoring_system	epss
scoring_elements	0.03312
published_at	2026-04-12T12:55:00Z

value	0.00034
scoring_system	epss
scoring_elements	0.09709
published_at	2026-04-16T12:55:00Z

value	0.00034
scoring_system	epss
scoring_elements	0.09679
published_at	2026-04-18T12:55:00Z

value	0.00035
scoring_system	epss
scoring_elements	0.10371
published_at	2026-04-29T12:55:00Z

value	0.00035
scoring_system	epss
scoring_elements	0.10426
published_at	2026-04-26T12:55:00Z

value	0.00035
scoring_system	epss
scoring_elements	0.10437
published_at	2026-04-24T12:55:00Z

value	0.00041
scoring_system	epss
scoring_elements	0.12512
published_at	2026-04-21T12:55:00Z

value	0.00043
scoring_system	epss
scoring_elements	0.13105
published_at	2026-05-07T12:55:00Z

value	0.00043
scoring_system	epss
scoring_elements	0.13186
published_at	2026-05-09T12:55:00Z

value	0.00043
scoring_system	epss
scoring_elements	0.12953
published_at	2026-05-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-62718

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-62718
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-62718

reference_url

https://datatracker.ietf.org/doc/html/rfc1034#section-3.1

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T15:02:50Z/

url

https://datatracker.ietf.org/doc/html/rfc1034#section-3.1

reference_url

https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T15:02:50Z/

url

https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/axios/axios

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/axios/axios

reference_url

https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T15:02:50Z/

url

https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c

reference_url

https://github.com/axios/axios/commit/fb3befb6daac6cad26b2e54094d0f2d9e47f24df

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T15:02:50Z/

url

https://github.com/axios/axios/commit/fb3befb6daac6cad26b2e54094d0f2d9e47f24df

reference_url

https://github.com/axios/axios/pull/10661

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T15:02:50Z/

url

https://github.com/axios/axios/pull/10661

reference_url

https://github.com/axios/axios/pull/10688

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T15:02:50Z/

url

https://github.com/axios/axios/pull/10688

reference_url

https://github.com/axios/axios/releases/tag/v0.31.0

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T15:02:50Z/

url

https://github.com/axios/axios/releases/tag/v0.31.0

reference_url

https://github.com/axios/axios/releases/tag/v1.15.0

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T15:02:50Z/

url

https://github.com/axios/axios/releases/tag/v1.15.0

reference_url

https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T15:02:50Z/

url

https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-62718

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-62718

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2456913
reference_id	2456913
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2456913

reference_url

https://github.com/advisories/GHSA-3p68-rc4w-qgx5

reference_id

GHSA-3p68-rc4w-qgx5

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-3p68-rc4w-qgx5

reference_url	https://access.redhat.com/errata/RHSA-2026:10175
reference_id	RHSA-2026:10175
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:10175

reference_url	https://access.redhat.com/errata/RHSA-2026:13571
reference_id	RHSA-2026:13571
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:13571

reference_url	https://access.redhat.com/errata/RHSA-2026:13826
reference_id	RHSA-2026:13826
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:13826

reference_url	https://access.redhat.com/errata/RHSA-2026:14937
reference_id	RHSA-2026:14937
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:14937

reference_url	https://access.redhat.com/errata/RHSA-2026:8483
reference_id	RHSA-2026:8483
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:8483

reference_url	https://access.redhat.com/errata/RHSA-2026:8484
reference_id	RHSA-2026:8484
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:8484

reference_url	https://access.redhat.com/errata/RHSA-2026:8490
reference_id	RHSA-2026:8490
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:8490

reference_url	https://access.redhat.com/errata/RHSA-2026:8491
reference_id	RHSA-2026:8491
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:8491

reference_url	https://access.redhat.com/errata/RHSA-2026:8493
reference_id	RHSA-2026:8493
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:8493

reference_url	https://access.redhat.com/errata/RHSA-2026:9742
reference_id	RHSA-2026:9742
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:9742

fixed_packages

url	pkg:npm/axios@1.15.0
purl	pkg:npm/axios@1.15.0
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.15.0

aliases CVE-2025-62718, GHSA-3p68-rc4w-qgx5

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-axk7-6q4b-vuga

Fixing_vulnerabilities

url VCID-qkmj-smh6-2bgn

vulnerability_id VCID-qkmj-smh6-2bgn

summary

Embedded Malicious Code via compromised maintainer account
Two malicious versions of the axios npm package (1.14.1 and 0.30.4) were published on March 31, 2026 using a compromised maintainer account. Both versions inject a hidden dependency (`plain-crypto-js@4.2.1`) that deploys a cross-platform remote access trojan targeting macOS, Windows, and Linux. The malicious `postinstall` script contacts a command-and-control server and downloads a platform-specific second-stage payload. Any system that ran `npm install` while either version was available should be treated as fully compromised. The malicious packages have been removed from the npm registry.

references

reference_url	https://github.com/axios/axios/issues/10604
reference_id
reference_type
scores
url	https://github.com/axios/axios/issues/10604

reference_url	https://socket.dev/blog/axios-npm-package-compromised
reference_id
reference_type
scores
url	https://socket.dev/blog/axios-npm-package-compromised

reference_url	https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html
reference_id
reference_type
scores
url	https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html

reference_url	https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
reference_id
reference_type
scores
url	https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan

fixed_packages

url pkg:npm/axios@0.30.3

purl pkg:npm/axios@0.30.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-axk7-6q4b-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/axios@0.30.3

url pkg:npm/axios@1.14.0

purl pkg:npm/axios@1.14.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-axk7-6q4b-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.14.0

aliases GHSA-fw8c-xr5c-95f9

risk_score null

exploitability 0.5

weighted_severity 0.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qkmj-smh6-2bgn

Risk_score 4.5

Resource_url http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.14.0

Package Instance