Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-27152

axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios. This issue is fixed in 1.8.2.

Published

2025-03-07T16:15:38.773

Last Modified

2025-11-25T17:58:17.213

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 5.3 (MEDIUM)

Weaknesses

Type: Secondary
CWE-918

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	axios	axios	< 0.30.0	Yes
Application	axios	axios	≤ 1.7.9	Yes

References

https://github.com/axios/axios/issues/6463 Broken Link ([email protected])
https://github.com/axios/axios/security/advisories/GHSA-jr5f-v2jv-69x6 Exploit, Vendor Advisory ([email protected])
https://github.com/axios/axios/security/advisories/GHSA-jr5f-v2jv-69x6 Exploit, Vendor Advisory (134c704f-9b21-4f2e-91b3-4a467353bcc0)