Critical SSRF Flaw in n8n 2.15.0: Bundled Axios Version Vulnerable to Internal Network Bypass (CVE-2025-62718)

A critical Server-Side Request Forgery (SSRF) vulnerability, tracked as CVE-2025-62718, is actively shipping with the latest version of the workflow automation platform n8n. The platform's version 2.15.0 bundles a vulnerable version of the popular Axios HTTP client library (v1.13.5), creating a direct path for attackers to bypass critical security controls and probe internal networks.

The flaw stems from improper hostname normalization when Axios evaluates the `NO_PROXY` environment variable. This defect allows a malicious actor to craft HTTP requests that circumvent configured proxy restrictions. In practice, this could enable unauthorized access to sensitive internal resources, such as cloud metadata endpoints or other services presumed to be shielded from external reach. The vulnerable Axios library is embedded in multiple locations within the `n8nio/n8n:2.15.0` Docker image and the companion `n8nio/runners:2.15.0` task runner image, meaning both core and execution environments are exposed.

This is not a theoretical risk; it is a live, critical-severity vulnerability being distributed to production environments. The immediate fix requires upgrading the embedded Axios dependency to version 1.15.0 or later, a patch that addresses the hostname normalization logic. Organizations using n8n for automation must treat this as an urgent operational security patch, as the vulnerability provides a clear mechanism for internal network reconnaissance and potential data exfiltration, directly undermining network segmentation and proxy-based security postures.