Lyceum News Desk ·

CVE-2025-62718 -- CVSS 9.9 Vulnerability Briefing

CVE-2025-62718 | CVSS 9.9 (Critical) | Exploit: No known exploit

What Is It

CVE-2025-62718 is a proxy bypass vulnerability in Axios, a widely used promise-based HTTP client for browser and Node.js environments, caused by improper hostname normalization when evaluating NO_PROXY rules.

Technical Detail

Axios fails to correctly normalize hostnames before comparing them against NO_PROXY exclusion rules, which allows requests targeting loopback addresses or similarly formatted hostnames to bypass intended proxy restrictions. An attacker or malicious dependency capable of influencing request targets could exploit this to route traffic through an unintended proxy, potentially exposing sensitive request data including headers, credentials, and payloads to an attacker-controlled endpoint. The flaw affects Axios versions prior to 1.15.0 and prior to 0.31.0 in the legacy 0.x branch, and the impact is most severe in server-side Node.js deployments where proxy configurations are used to enforce network segmentation or traffic inspection policies.

Exploitation Status

No known exploit exists for this vulnerability at this time. It is not listed in the CISA Known Exploited Vulnerabilities catalog, and no public proof-of-concept code has been confirmed. Despite the absence of active exploitation evidence, the CVSS score of 9.9 reflects the potential severity of successful abuse in affected configurations.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns or targeted sectors have been associated with this vulnerability in available intelligence sources.

What To Do

Organizations should upgrade Axios to version 1.15.0 or later for projects on the 1.x branch, or to version 0.31.0 or later for projects still on the 0.x branch. Given the critical CVSS rating, patching should be treated as high priority, particularly for Node.js applications that rely on proxy configurations for network access control or traffic inspection. Teams should audit their dependency trees using tools such as npm audit or equivalent to identify affected versions across direct and transitive dependencies. As an interim measure, operators can review and harden NO_PROXY configurations to avoid relying solely on Axios-level enforcement for sensitive network boundaries. Detection should focus on unexpected outbound HTTP traffic bypassing configured proxy infrastructure.

CVE

Free intelligence, delivered to your inbox.