CVE-2025-27152: axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL
(updated )
A previously reported issue in axios demonstrated that using protocol-relative URLs could lead to SSRF (Server-Side Request Forgery). Reference: axios/axios#6463
A similar problem that occurs when passing absolute URLs rather than protocol-relative URLs to axios has been identified. Even if baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios.
References
- github.com/advisories/GHSA-jr5f-v2jv-69x6
- github.com/axios/axios
- github.com/axios/axios/commit/02c3c69ced0f8fd86407c23203835892313d7fde
- github.com/axios/axios/commit/fb8eec214ce7744b5ca787f2c3b8339b2f54b00f
- github.com/axios/axios/issues/6463
- github.com/axios/axios/pull/6829
- github.com/axios/axios/releases/tag/v1.8.2
- github.com/axios/axios/security/advisories/GHSA-jr5f-v2jv-69x6
- nvd.nist.gov/vuln/detail/CVE-2025-27152
Code Behaviors & Features
Detect and mitigate CVE-2025-27152 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →