Advisories for Npm/Axios package

2025

axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL

A previously reported issue in axios demonstrated that using protocol-relative URLs could lead to SSRF (Server-Side Request Forgery). Reference: axios/axios#6463 A similar problem that occurs when passing absolute URLs rather than protocol-relative URLs to axios has been identified. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios.

2024
2023
2022
2021
2020

Server-Side Request Forgery (SSRF)

Axios NPM package contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.

2019

Denial of Service

Axios allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded.