Plattform
nodejs
Komponente
axios
Behoben in
1.8.3
1.8.2
CVE-2025-27152 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the Axios Node.js package. This flaw allows attackers to potentially trigger requests to unintended internal resources or external services, leading to data exposure or other malicious actions. The vulnerability affects versions of Axios prior to 1.8.2 and can be exploited by passing absolute URLs instead of protocol-relative URLs, bypassing the intended baseURL configuration.
The primary impact of CVE-2025-27152 is the potential for SSRF. An attacker can craft requests that, when processed by an application using Axios, are sent to arbitrary destinations. This could include internal services that are not directly accessible from the outside, or external resources that the application should not be accessing. Specifically, if an application uses Axios to interact with an internal API, an attacker could manipulate the URL to target that API directly, potentially exposing sensitive data or triggering unintended actions. The vulnerability also poses a risk of credential leakage if Axios is used to make requests that include authentication tokens or other sensitive information, as these credentials could be exposed in the SSRF request. This is similar to other SSRF vulnerabilities where attackers leverage internal network access to gain unauthorized information.
CVE-2025-27152 was publicly disclosed on March 7, 2025. The vulnerability builds upon a previously reported issue (axios/axios#6463) and highlights the importance of careful URL handling in client libraries. As of the current date, there is no indication of active exploitation campaigns targeting this vulnerability. The EPSS score is currently pending evaluation. Refer to the official Axios advisory for further details.
Applications built with Node.js that utilize the Axios package are at risk. This includes both server-side applications (e.g., REST APIs, backend services) and client-side applications (e.g., web applications using Axios for API calls). Specifically, applications that rely on Axios to interact with internal APIs or resources without proper URL validation are particularly vulnerable.
• nodejs / server:
npm list axios• nodejs / server:
find / -name "node_modules/axios" -print• generic web: Inspect application code for instances where Axios is used with absolute URLs, particularly when interacting with internal APIs or resources.
disclosure
Exploit-Status
EPSS
0.07% (22% Perzentil)
CISA SSVC
The recommended mitigation for CVE-2025-27152 is to upgrade to Axios version 1.8.2 or later. This version includes a fix that prevents the SSRF vulnerability by correctly handling absolute URLs. If upgrading is not immediately feasible, consider implementing input validation to sanitize URLs passed to Axios, ensuring that only protocol-relative URLs are used. Additionally, restrict network access for the application using Axios to only the necessary resources, minimizing the potential impact of a successful SSRF attack. While a WAF might offer some protection, it's not a substitute for patching the Axios dependency. There are no specific Sigma or YARA rules available for this vulnerability at this time.
Actualice la biblioteca axios a la versión 1.8.2 o superior. Esto solucionará la vulnerabilidad SSRF y la posible fuga de credenciales al usar URLs absolutas en las peticiones. Ejecute `npm install axios@latest` o `yarn add axios@latest` para actualizar.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-27152 is a HIGH severity SSRF vulnerability in Axios versions before 1.8.2. It allows attackers to trigger requests to unintended resources by using absolute URLs instead of protocol-relative ones.
You are affected if you are using Axios versions prior to 1.8.2 and your application allows absolute URLs to be passed to Axios without proper validation.
Upgrade to Axios version 1.8.2 or later. As a temporary workaround, implement input validation to sanitize URLs passed to Axios, ensuring only protocol-relative URLs are used.
As of the current date, there is no indication of active exploitation campaigns targeting this vulnerability, but vigilance is advised.
Refer to the Axios GitHub repository and related security advisories for the most up-to-date information: https://github.com/axios/axios
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.