SSRF

SSRF in Node.js Express via Axios proxy bypass [CVE-2025-62718]

[Fixed 2025-08] Updated CVE-2025-62718

Overview

The CVE-2025-62718 disclosure describes a proxy/NO_PROXY handling bug in Axios prior to 1.15.0. When a Node.js (Express) application uses Axios to fetch user-supplied URLs and a proxy is configured, requests to loopback addresses such as localhost (including a trailing dot like localhost.) or IPv6 literal [::1] may bypass NO_PROXY matching due to hostname normalization issues. This means those requests can be routed through the configured proxy instead of being blocked, creating an SSRF path into internal services or services only reachable from the host. The flaw is significant in server environments where an attacker can influence the target URL that your API fetches, effectively enabling proxy bypass and SSRF. The CVE has associations with CWE-441 and CWE-918, underscoring unsafe handling of external input leading to server-side network access or bypass of intended protections. This manifests in real Node.js (Express) apps when outbound HTTP requests are driven by user input and the proxy/no-proxy logic is not robust against canonicalization edge cases. In practice, an attacker could supply a URL that points to localhost or an internal endpoint, and if the app relies on a proxy configuration to reach external resources, the request may still be routed via the proxy due to the NO_PROXY bypass bug. SSRF is especially dangerous because it may enable lateral movement, access to internal services, or exposure of internal metadata. To developers, this risk highlights the importance of not solely trusting environmental proxies for security, and the need to validate target URLs and upgrade dependencies that fix known NO_PROXY hostname normalization issues. Remediating this class of vulnerability involves upgrading Axios to the fixed version (≥ 1.15.0) and applying robust server-side safeguards in your Node.js/Express code. In addition to upgrading, implement explicit allowlists or denylists for target URLs, validate and normalize incoming URLs, and avoid routing internal or loopback destinations through proxies. Add integration tests that simulate SSRF-like inputs (e.g., http://localhost, http://localhost./, http://[::1]/) to verify that such targets are blocked or rejected.

Affected Versions

< 1.15.0

Code Fix Example

Node.js (Express) API Security Remediation 
/* VULNERABLE PATTERN */
/* Demonstrates a minimal Express route that takes a user-supplied URL and fetches it with Axios. This relies on proxy settings and NO_PROXY handling that can be bypassed for loopback addresses prior to Axios 1.15.0. */

const express = require('express');
const axios = require('axios');
const app = express();

app.get('/fetch', async (req, res) => {
  try {
    const url = req.query.url;
    // Vulnerable: directly uses user input to fetch resources
    const response = await axios.get(url);
    res.status(200).send(response.data);
  } catch (err) {
    res.status(500).send('Error fetching URL');
  }
});

app.listen(3000, () => console.log('Vulnerable server listening on port 3000'));

/* FIXED VERSION (axios >= 1.15.0) + explicit URL validation/denial of internal targets */

/* To illustrate side-by-side, the following block reuses the same Express app but with a secure path. */

const expressFixed = require('express');
const axiosFixed = require('axios'); // Ensure package.json uses axios >= 1.15.0
const net = require('net');
const { URL } = require('url');
const appFixed = expressFixed();

function isInternalTarget(targetUrl) {
  try {
    const parsed = new URL(targetUrl);
    const host = (parsed.hostname || '').toLowerCase();
    const trimmed = host.replace(/\\.$/, '');
    // Block explicit loopback/localhost and common loopback forms
    if (trimmed === 'localhost' || trimmed === 'localhost.') return true;
    if (trimmed === '127.0.0.1' || trimmed === '::1' || trimmed === '[::1]') return true;

    // If host is an IP, check private ranges (basic check)
    if (net.isIP(trimmed) === 4) {
      const parts = trimmed.split('.').map(n => parseInt(n, 10));
      const [a, b] = parts;
      if (a === 10) return true;
      if (a === 172 && b >= 16 && b <= 31) return true;
      if (a === 192 && b === 168) return true;
    }
    // IPv6 private ranges can be added as needed
    return false;
  } catch {
    // If URL parsing fails, treat as internal/unsafe
    return true;
  }
}

appFixed.get('/fetch', async (req, res) => {
  const url = req.query.url;
  if (!url) return res.status(400).send('URL required');
  // Enforce allowlist/denylist at runtime
  if (isInternalTarget(url)) {
    return res.status(400).send('Target not allowed');
  }
  try {
    const response = await axiosFixed.get(url);
    res.status(200).send(response.data);
  } catch (err) {
    res.status(500).send('Error fetching URL');
  }
});

appFixed.listen(3001, () => console.log('Fixed server listening on port 3001'));

CVE References

More Node.js (Express) API Security Remediation Guides

View all →

Manage cookie preferences

Choose which optional cookies to allow. You can change this any time.