Critical Axios Vulnerability CVE-2025-62718: Proxy Bypass Threatens Node.js & Browser Security

A critical vulnerability in the widely-used Axios HTTP client library allows attackers to bypass NO_PROXY rules and force sensitive requests through a malicious proxy. The flaw, designated CVE-2025-62718, specifically affects versions prior to 1.15.0, including the still-deployed axios-0.19.2.tgz. This bypass undermines a core security expectation for developers, creating a direct path for traffic interception and manipulation.

The vulnerability resides in Axios's flawed hostname normalization logic. When an application makes a request to a loopback address—such as `localhost.` (with a trailing dot) or the IPv6 literal `[::1]`—the library incorrectly skips the NO_PROXY matching process. Consequently, traffic intended to stay local and protected is instead routed through any configured proxy server. This deviation from expected behavior provides a clear attack vector, enabling threat actors to redirect and potentially monitor or alter communications meant for internal services.

The implications are severe for any Node.js or browser-based application using a vulnerable Axios version in environments where a proxy might be configured, whether intentionally or via compromise. This includes development setups, CI/CD pipelines, and certain production deployments. The risk is not theoretical; it represents a tangible failure in access control that could lead to data leakage, credential theft, or internal API exploitation. All teams must immediately verify their Axios dependency version and upgrade to 1.15.0 or later to close this critical security gap.