Axios v1.15.0 Security Patch: Proxy Bypass Flaw in NO_PROXY Handling (CVE-2025-62718)

A critical security flaw in the widely-used Axios HTTP client library has been patched, exposing a proxy bypass vulnerability that could allow attackers to intercept sensitive internal traffic. The issue, tracked as CVE-2025-62718, stems from improper hostname normalization when checking `NO_PROXY` rules. Specifically, requests directed to loopback addresses such as `localhost.` (with a trailing dot) or the IPv6 literal `[::1]` incorrectly bypass `NO_PROXY` matching and are forced through a configured proxy server.

This behavior directly contradicts developer expectations and established security configurations. The `NO_PROXY` environment variable is a standard mechanism used to protect internal, loopback, or intranet traffic from being routed through an external proxy, which is a common requirement in corporate and development environments. The flaw means that an attacker could potentially manipulate request destinations to force traffic through a malicious or monitored proxy, even when developers have explicitly configured the system to prevent this for local communications.

The update to Axios v1.15.0 addresses this normalization error. The vulnerability's impact is significant because it undermines a fundamental network security control. Any application using Axios with a proxy configuration and relying on `NO_PROXY` to safeguard internal endpoints was potentially exposed. This includes countless development tools, CI/CD pipelines, and backend services that communicate with local APIs or databases. The patch is a mandatory update for teams to close this unexpected vector for traffic interception and maintain the integrity of their internal network segmentation.