High severityNVD Advisory· Published Mar 7, 2025· Updated Mar 7, 2025

Possible SSRF and Credential Leakage via Absolute URL in axios Requests

CVE-2025-27152

Description

axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios. This issue is fixed in 1.8.2.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
axiosnpm	>= 1.0.0, < 1.8.2	1.8.2
axiosnpm	< 0.30.0	0.30.0

Affected products

Axios/Axiosv5
Range: < 1.8.2

Patches

02c3c69ced0f

fix: backport allowAbsoluteUrls vuln fix to v0.x (#6829)

https://github.com/axios/axiosGabe MendozaMar 19, 2025via ghsa

commit

5 files changed · +11 −6

lib/adapters/http.js+1 −1 modified

@@ -109,7 +109,7 @@ module.exports = function httpAdapter(config) {
     var method = config.method.toUpperCase();
 
     // Parse url
-    var fullPath = buildFullPath(config.baseURL, config.url);
+    var fullPath = buildFullPath(config.baseURL, config.url, config.allowAbsoluteUrls);
     var parsed = url.parse(fullPath);
     var protocol = parsed.protocol || supportedProtocols[0];

lib/adapters/xhr.js+1 −1 modified

@@ -43,7 +43,7 @@ module.exports = function xhrAdapter(config) {
       requestHeaders.Authorization = 'Basic ' + btoa(username + ':' + password);
     }
 
-    var fullPath = buildFullPath(config.baseURL, config.url);
+    var fullPath = buildFullPath(config.baseURL, config.url, config.allowAbsoluteUrls);
 
     request.open(config.method.toUpperCase(), buildURL(fullPath, config.params, config.paramsSerializer), true);

lib/core/Axios.js+1 −1 modified

@@ -136,7 +136,7 @@ Axios.prototype.request = function request(configOrUrl, config) {
 
 Axios.prototype.getUri = function getUri(config) {
   config = mergeConfig(this.defaults, config);
-  var fullPath = buildFullPath(config.baseURL, config.url);
+  var fullPath = buildFullPath(config.baseURL, config.url, config.allowAbsoluteUrls);
   return buildURL(fullPath, config.params, config.paramsSerializer);
 };

lib/core/buildFullPath.js+5 −2 modified

@@ -10,10 +10,13 @@ var combineURLs = require('../helpers/combineURLs');
  *
  * @param {string} baseURL The base URL
  * @param {string} requestedURL Absolute or relative URL to combine
+ * @param {boolean} allowAbsoluteUrls Set to true to allow absolute URLs
+ *
  * @returns {string} The combined full path
  */
-module.exports = function buildFullPath(baseURL, requestedURL) {
-  if (baseURL && !isAbsoluteURL(requestedURL)) {
+module.exports = function buildFullPath(baseURL, requestedURL, allowAbsoluteUrls) {
+  var isRelativeURL = !isAbsoluteURL(requestedURL);
+  if (baseURL && (isRelativeURL || allowAbsoluteUrls === false)) {
     return combineURLs(baseURL, requestedURL);
   }
   return requestedURL;

test/specs/core/buildFullPath.spec.js+3 −1 modified

@@ -16,5 +16,7 @@ describe('helpers::buildFullPath', function () {
   it('should combine URLs when the baseURL and requestedURL are relative', function () {
     expect(buildFullPath('/api', '/users')).toBe('/api/users');
   });
-
+  it('should not combine the URLs when the requestedURL is absolute, allowAbsoluteUrls is false, and the baseURL is not configured', function () {
+    expect(buildFullPath(undefined, 'https://api.example.com/users', false)).toBe('https://api.example.com/users');
+  });
 });

fb8eec214ce7

fix(http-adapter): add allowAbsoluteUrls to path building (#6810)

https://github.com/axios/axiosFasoro-Joseph AlexanderMar 7, 2025via ghsa

commit

1 file changed · +1 −1

lib/adapters/http.js+1 −1 modified

@@ -228,7 +228,7 @@ export default isHttpAdapterSupported && function httpAdapter(config) {
     }
 
     // Parse url
-    const fullPath = buildFullPath(config.baseURL, config.url);
+    const fullPath = buildFullPath(config.baseURL, config.url, config.allowAbsoluteUrls);
     const parsed = new URL(fullPath, platform.hasBrowserEnv ? platform.origin : undefined);
     const protocol = parsed.protocol || supportedProtocols[0];

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-jr5f-v2jv-69x6ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-27152ghsaADVISORY
github.com/axios/axios/commit/02c3c69ced0f8fd86407c23203835892313d7fdeghsaWEB
github.com/axios/axios/commit/fb8eec214ce7744b5ca787f2c3b8339b2f54b00fghsaWEB
github.com/axios/axios/issues/6463ghsax_refsource_MISCWEB
github.com/axios/axios/pull/6829ghsaWEB
github.com/axios/axios/releases/tag/v1.8.2ghsaWEB
github.com/axios/axios/security/advisories/GHSA-jr5f-v2jv-69x6ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000