AI description
CVE-2025-27152 is a vulnerability in Axios, a popular JavaScript HTTP client library used in both browser and Node.js environments. The flaw allows attackers to potentially perform Server-Side Request Forgery (SSRF) and leak sensitive credentials. This occurs because Axios improperly handles absolute URLs within requests. Even if a `baseURL` is configured, providing an absolute URL in a request will cause Axios to ignore the base and send the request directly to the specified absolute URL. This behavior can bypass security measures intended to restrict requests to specific domains or resources. Consequently, attackers could craft requests targeting internal network services or exfiltrate sensitive data such as API keys or credentials included in the requests. The vulnerability affects Axios versions up to and including 1.7.9 and has been addressed in version 1.8.2.
- Description
- axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios. This issue is fixed in 1.8.2.
- Source
- security-advisories@github.com
- NVD status
- Received
CVSS 4.0
- Type
- Secondary
- Base score
- 7.7
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- HIGH
- security-advisories@github.com
- CWE-918
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
1
Follow @zoomeye_team & Get 7-Day Membership! 🚨🚨A wild vuln just dropped: CVE-2025-27152 in Axios! This sneaky flaw could let attackers pull off some slick SSRF moves or snag creds via absolute URLs. MILLIONS of users might be exposed! 🔥PoC: https://t.co/yJ24tTpDcw Zoom
@zoomeye_team
13 Mar 2025
334 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
JavaScriptの人気ライブラリAxiosで重大な脆弱性(CVE-2025-27152)|セキュリティニュース 提供元: 合同会社ロケットボーイズ https://t.co/SfTinxuj1u
@Neptunetx2
13 Mar 2025
2 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
RT @Dinosn: Popular JavaScript Library ‘Axios’ Exposes Millions to Server-Side Vulnerabilities (CVE-2025-27152)
@ArielSimmo92815
12 Mar 2025
22 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨Alert🚨 CVE-2025-27152:Possible SSRF and Credential Leakage via Absolute URL in axios Requests 🔥PoC:https://t.co/METzB4xHYv 📊 202K+ Services are found on the https://t.co/ysWb28Crld yearly. 🔗Hunter Link:https://t.co/2Jz1DeTGt2 👇Query HUNTER :… https://t.co/uZIjwBUIFl https:
@HunterMapping
12 Mar 2025
3596 Impressions
13 Retweets
70 Likes
34 Bookmarks
1 Reply
0 Quotes
CVE-2025-27152: JavaScript Library ‘Axios’ Exposes Millions to Server-Side Vulnerabilities. https://t.co/GkZ7FRrYOv https://t.co/JsrrS7Hajj
@cyber_advising
12 Mar 2025
1143 Impressions
1 Retweet
15 Likes
7 Bookmarks
0 Replies
0 Quotes
Threat Alert: Popular JavaScript Library 'Axios' Exposes Millions to Server-Side Vulnerabiliti CVE-2025-27152 Severity: ⚠️ Critical Maturity: 💢 Emerging Learn more: https://t.co/fENHrcWh1s #CyberSecurity #ThreatIntel #InfoSec
@fletch_ai
12 Mar 2025
10 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
JavaScriptの人気ライブラリ Axios(アクシオス)で重大な脆弱性(CVE-2025-27152)が発生しています。 公式からPoCも一部公開されているので対象者はアップデートする事をお勧めします。 #セキュリティ対策Lab #セキュリティ #Security https://t.co/adlgWkG3L0
@securityLab_jp
12 Mar 2025
21 Impressions
1 Retweet
1 Like
0 Bookmarks
0 Replies
0 Quotes
Popular JavaScript Library ‘Axios’ Exposes Millions to Server-Side Vulnerabilities (CVE-2025-27152) https://t.co/pj8ylJ75JI
@Dinosn
11 Mar 2025
98121 Impressions
34 Retweets
213 Likes
76 Bookmarks
1 Reply
8 Quotes
🚨 Lambda Watchdog detected a new HIGH severity CVE 🚨 CVE-2025-27152 was detected in the latest AWS Lambda image scan affecting the axios package in 4 images. Check the full report 👉 https://t.co/6EUGaPyRZk #AWS #Lambda #CVE #CloudSecurity #Serverless
@LambdaWatchdog
8 Mar 2025
5 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-27152 axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if ba… https://t.co/jZLvGBac0k
@CVEnew
8 Mar 2025
89 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes