Server-Side Request Forgery (SSRF) in axios - #VU136908
Published: July 6, 2026
axios
Detailed vulnerability description
The vulnerability allows a remote attacker to perform server-side request forgery and disclose sensitive information.
The vulnerability exists due to improper input validation in shouldBypassProxy when handling requests to loopback-equivalent addresses. A remote attacker can supply a crafted URL using 0.0.0.0, ::, or ::ffff:0.0.0.0 to perform server-side request forgery and disclose sensitive information.
Exploitation requires an Axios client configured with a proxy and relying on NO_PROXY=localhost for loopback protection.