CVE-2025-27152

MEDIUM

axios <1.8.2 - SSRF

Title source: llm

Description

axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios. This issue is fixed in 1.8.2.

Exploits (5)

github WORKING POC 6 stars

by AikidoSec · javascriptpoc

https://github.com/AikidoSec/zen-0-days/tree/main/node/CVE-2025-27152

View Code ZIP pw:eip

github WORKING POC 2 stars

by adminlove520 · pythonpoc

https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2025/CVE-2025-27152

View Code ZIP pw:eip

nomisec WORKING POC 1 stars

by andreglock · poc

https://github.com/andreglock/axios-ssrf

View Code ZIP pw:eip

nomisec

by WillFortMadeTech · poc

https://github.com/WillFortMadeTech/axiosVulnExample

View on nomisec

nomisec NO CODE

by davidblakecoe · poc

https://github.com/davidblakecoe/axios-CVE-2025-27152-PoC

View Code ZIP pw:eip

References (2)

[Broken Link] https://github.com/axios/axios/issues/6463

[Exploit, Vendor Advisory] https://github.com/axios/axios/security/advisories/GHSA-jr5f-v2jv-69x6

Scores

CVSS v3 5.3

EPSS 0.0009

EPSS Percentile 26.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Classification

CWE

CWE-918

Status published

Affected Products (2)

axios/axios < 0.30.0

npm/axios < 1.8.2npm

Timeline

Published Mar 07, 2025

Tracked Since Feb 18, 2026