Listen to this Post
How the mentioned CVE works:
The original CVE-2025-62718 allowed attackers to bypass NO_PROXY in Axios by using a trailing dot (localhost./) or IPv6 brackets ([::1]) because Axios performed raw string comparison without normalization. The patch in version 1.15.0 introduced normalizeNoProxyHost() to strip trailing dots and brackets, plus a hardcoded LOOPBACK_ADDRESSES Set containing only ‘localhost’, ‘127.0.0.1’, and ‘::1’. However, RFC 1122 defines the entire 127.0.0.0/8 subnet (16 million addresses) as loopback. The isLoopback() function checks strict membership, so any address like 127.0.0.2 returns false. When shouldBypassProxy() evaluates NO_PROXY entries, it sees hostname 127.0.0.2 not matching 127.0.0.1, and isLoopback() false, so it returns false. Axios then routes the request through the configured HTTP proxy instead of direct connection. An attacker controlling the request URL can substitute 127.0.0.1 with any other 127.x.x.x address to silently bypass NO_PROXY protection. This leads to full SSRF, where internal loopback services, admin dashboards, or cloud metadata proxies bound to non‑standard loopback IPs become reachable through the attacker’s proxy. The vulnerability affects all Node.js applications using Axios 1.15.0 with HTTP_PROXY and NO_PROXY=localhost,127.0.0.1,::1. The patch is incomplete because it fixes only two string representations but ignores the entire IPv4 loopback address range.
DailyCVE form:
Platform: Axios Node.js
Version: 1.15.0
Vulnerability: NO_PROXY bypass
Severity: Critical (9.9)
date: 2026-05-04
Prediction: Patch within 2-4 weeks
What Undercode Say:
Verify loopback routing on Linux
ip route show table local | grep "127"
ping -c 1 127.0.0.2
Check Axios version
npm list axios
Run PoC (requires Node.js)
cat > poc.js << 'EOF'
import http from 'http';
import axios from 'axios';
const PROXY_PORT = 5300;
http.createServer((req, res) => {
console.log('[!] PROXY HIT:', req.url);
res.end('proxied');
}).listen(PROXY_PORT);
process.env.HTTP_PROXY = `http://127.0.0.1:${PROXY_PORT}`;
process.env.NO_PROXY = 'localhost,127.0.0.1,::1';
async function test(url) {
try {
const res = await axios.get(url, { timeout: 2000 });
console.log(url, res.data === 'proxied' ? 'BYPASS' : 'DIRECT');
} catch(e) { console.log(url, 'DIRECT'); }
}
setTimeout(async () => {
await test('http://127.0.0.2:9191/secret');
process.exit(0);
}, 500);
EOF
node poc.js
Exploit:
Attacker controls target URL (e.g., through user input, redirect, or SSRF vector). Replace 127.0.0.1 with any other 127.x.x.x address (127.0.0.2, 127.0.0.100, 127.1.2.3). Axios will send the full request including headers, body, and cookies to the attacker‑controlled proxy defined in HTTP_PROXY. The proxy then forwards to the real loopback service, intercepting responses. No error or log indicates the bypass.
Protection from this CVE:
- Wait for official Axios patch (replace LOOPBACK_ADDRESSES Set with RFC‑compliant isLoopback() checking 127.0.0.0/8).
- Apply hotfix manually in node_modules/axios/lib/helpers/shouldBypassProxy.js (replace lines 1-3 with function checking parts[bash]===’127′).
- Avoid using non‑standard loopback addresses (use only 127.0.0.1, localhost, ::1).
- Set NO_PROXY to “” (disables proxy entirely) if feasible.
- Monitor outbound proxy logs for unexpected 127.x.x.x destinations.
Impact:
Silent SSRF and proxy bypass exposes internal loopback services (admin panels, internal APIs, secret managers, health endpoints). Attackers can retrieve cloud IAM credentials from metadata proxies bound to 127.x.x.x, exfiltrate data, pivot to internal networks. The bypass affects 16 million loopback addresses, leaving 99.999% of the loopback space unprotected. No detection mechanism exists within the application.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
