Ghostwire

CVE-2025-62718: Axios has a NO_PROXY Hostname Normalization Bypass Leads to SSRF

MEDIUM CVSS 5.0 EPSS 0.01% Exploit Available 2 PoC

Published: April 9, 2026 | Last Modified: April 11, 2026

Description

Axios has a NO_PROXY Hostname Normalization Bypass Leads to SSRF

Ghostwire Analysis — What This Means Practically

Exploitation Probability (EPSS): Low — 0.01% (3th percentile)

Low exploitation probability based on current threat landscape data. Standard patching timeline is appropriate.

Medium CVSS score indicates moderate risk — exploitation requires specific conditions or results in limited impact.
2 proof-of-concept exploits available on GitHub. Public exploit code lowers the barrier for both researchers and attackers.

This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.

Proof-of-Concept Exploits (2)

axios/axios
axios/axios

Security Coverage (2 articles)

References

www.cnnvd.org.cn/home/globalSearch?keyword=CVE-2025-62718
www.tenable.com/cve/CVE-2025-62718
github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5
nvd.nist.gov/vuln/detail/CVE-2025-62718
github.com/axios/axios/pull/10661
github.com/axios/axios/commit/fb3befb6daac6cad26b2e54094d0f2d9e47f24df
datatracker.ietf.org/doc/html/rfc1034#section-3.1
datatracker.ietf.org/doc/html/rfc3986#section-3.2.2
github.com/axios/axios/releases/tag/v1.15.0
github.com/advisories/GHSA-3p68-rc4w-qgx5