SB2026041001 - Two vulnerabilities in Axios
Published: April 10, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2025-62718)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to conduct server-side request forgery and disclose sensitive information.
The vulnerability exists due to improper hostname normalization in NO_PROXY rule evaluation when processing attacker-controlled request URLs. A remote attacker can supply a crafted URL using forms such as localhost. or [::1] to conduct server-side request forgery and disclose sensitive information.
Applications that rely on NO_PROXY entries for loopback or internal services are affected.
2) HTTP response splitting (CVE-ID: N/A)
CWE-ID: CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code or compromise cloud resources.
The vulnerability exists due to improper neutralization of CRLF sequences in HTTP headers in lib/adapters/http.js when merging polluted header properties into outbound requests. A remote attacker can pollute Object.prototype through another vulnerable dependency and trigger a crafted request smuggling chain to execute arbitrary code or compromise cloud resources.
Exploitation requires chaining with a prototype pollution vulnerability in another dependency and can bypass AWS IMDSv2 protections to obtain metadata service tokens.
Remediation
Install update from vendor's website.