cvedb.io
CVE-2025-27152
MEDIUM · CVSS 5.3
EPSS exploitation probability: 0%
Published 2025-03-07T16:15:38.773 · Last modified 2026-06-17T09:03:06.570

Summary

axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios. This issue is fixed in 1.8.2.

Affected products

axios — axios

Does this affect you?

Add your gear to cvedb and we'll alert you only when axios ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.