Axios v1.15.0 Security Patch: Proxy Bypass Flaw in NO_PROXY Handling for Loopback Addresses

A critical security update for the widely-used Axios HTTP client library patches a proxy bypass vulnerability that could allow attackers to intercept sensitive internal traffic. The flaw, tracked as CVE-2025-62718, stems from improper hostname normalization when checking `NO_PROXY` rules. Specifically, requests directed to loopback addresses like `localhost.` (with a trailing dot) or the IPv6 literal `[::1]` incorrectly bypass `NO_PROXY` matching and are forced through a configured proxy server.

This behavior directly contradicts developer expectations and security configurations. The `NO_PROXY` environment variable is a standard mechanism to designate trusted hosts—like internal services and loopback interfaces—that should never be routed through an external proxy. The vulnerability undermines this fundamental security boundary, creating a potential vector for man-in-the-middle attacks on traffic intended to remain local and secure.

The update to version 1.15.0, highlighted in a GitHub dependency management pull request, is now being pushed across the software supply chain. The flaw's impact is broad, affecting any Node.js or browser application using Axios to communicate with localhost or internal network services while a proxy is configured. This forces a mandatory security review for development and DevOps teams to ensure the patch is applied, as the risk involves unintended data exfiltration and credential exposure via a compromised proxy.