SB2026041001 - Two vulnerabilities in Axios

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2025-62718)

The vulnerability allows a remote attacker to conduct server-side request forgery and disclose sensitive information.

The vulnerability exists due to improper hostname normalization in NO_PROXY rule evaluation when processing attacker-controlled request URLs. A remote attacker can supply a crafted URL using forms such as localhost. or [::1] to conduct server-side request forgery and disclose sensitive information.

Applications that rely on NO_PROXY entries for loopback or internal services are affected.

2) HTTP response splitting (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary code or compromise cloud resources.

The vulnerability exists due to improper neutralization of CRLF sequences in HTTP headers in lib/adapters/http.js when merging polluted header properties into outbound requests. A remote attacker can pollute Object.prototype through another vulnerable dependency and trigger a crafted request smuggling chain to execute arbitrary code or compromise cloud resources.

Exploitation requires chaining with a prototype pollution vulnerability in another dependency and can bypass AWS IMDSv2 protections to obtain metadata service tokens.

Remediation

Install update from vendor's website.

References

• https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5
• https://github.com/advisories/GHSA-3p68-rc4w-qgx5
• https://github.com/axios/axios/security/advisories/GHSA-fvcv-3m26-pcqx
• https://github.com/advisories/GHSA-fvcv-3m26-pcqx