CVE-2025-27152 (Medium) Detected In Axios-0.21.1.tgz

CVE-2025-27152 (Medium) Detected in axios-0.21.1.tgz: A Critical Vulnerability in a Popular HTTP Client Library

Introduction

In the ever-evolving landscape of software development, security vulnerabilities can have a significant impact on the integrity and reliability of applications. One such vulnerability, CVE-2025-27152, has been detected in the popular HTTP client library, axios-0.21.1.tgz. This article will delve into the details of this vulnerability, its impact, and the suggested fix to ensure the security of your applications.

CVE-2025-27152 - Medium Severity Vulnerability

The axios library is a promise-based HTTP client for both the browser and node.js. However, a critical vulnerability has been discovered in the version 0.21.1.tgz of this library. The issue arises when passing absolute URLs rather than protocol-relative URLs to axios. Even if the baseURL is set, axios sends the request to the specified absolute URL, potentially causing Server-Side Request Forgery (SSRF) and credential leakage. This vulnerability affects both server-side and client-side usage of axios.

Vulnerable Library Details

• Library Name: axios
• Version: 0.21.1.tgz
• Library Home Page: https://registry.npmjs.org/axios/-/axios-0.21.1.tgz
• Path to Dependency File: /azure-function/node/package.json
• Path to Vulnerable Library: /azure-function/node/node_modules/axios/package.json,/azure-static-web-app/api/node/node_modules/axios/package.json

Dependency Hierarchy

The vulnerability is part of a larger dependency hierarchy, which includes the following libraries:

• mssql-6.3.1.tgz (Root Library)
  • tedious-6.7.0.tgz
    • ms-rest-nodeauth-2.0.2.tgz
      • ms-rest-js-1.11.2.tgz
        • axios-0.21.1.tgz (Vulnerable Library)

Vulnerability Details

The vulnerability, CVE-2025-27152, was discovered on March 7, 2025. The issue is fixed in version 1.8.2 of the axios library. The vulnerability affects both server-side and client-side usage of axios, making it a critical issue that requires immediate attention.

Publish Date and URL

• Publish Date: 2025-03-07
• URL: https://www.mend.io/vulnerability-database/CVE-2025-27152

CVSS 3 Score Details

The CVSS 3 score for this vulnerability is 5.5, indicating a medium severity vulnerability. The base score metrics are as follows:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

The suggested fix for this vulnerability is to upgrade the version of the axios library to 1.8.2 or later. This fix is available on GitHub, and the release date is March 7, 2025.

• Type: Upgrade version
• Origin: https://github.com/advisories/GHSA-jr5f-v2jv-69x6
• Release Date: 2025-03-07
• Fix Resolution: 1.8.2

Conclusion

In conclusion, the CVE-2025-27152 vulnerability in the axios-0.21.1.tgz library is a critical issue that requires immediate attention. The vulnerability affects both server-side and client-side usage of axios, making it a significant security risk. By upgrading to version 1.8.2 or later, developers can ensure the security of their applications and prevent potential attacks.
CVE-2025-27152 (Medium) Detected in axios-0.21.1.tgz: A Critical Vulnerability in a Popular HTTP Client Library - Q&A

Introduction

In our previous article, we discussed the CVE-2025-27152 vulnerability in the axios-0.21.1.tgz library. This vulnerability has significant implications for developers who use this library in their applications. In this Q&A article, we will address some of the most frequently asked questions about this vulnerability and provide guidance on how to mitigate it.

Q1: What is the CVE-2025-27152 vulnerability?

A1: The CVE-2025-27152 vulnerability is a critical issue in the axios-0.21.1.tgz library that allows an attacker to perform Server-Side Request Forgery (SSRF) and credential leakage. This vulnerability occurs when passing absolute URLs rather than protocol-relative URLs to axios, even if the baseURL is set.

Q2: What is the impact of this vulnerability?

A2: The impact of this vulnerability is significant, as it can allow an attacker to:

• Perform SSRF attacks, which can lead to unauthorized access to internal systems and data.
• Leak credentials, which can compromise the security of the application and its users.

Q3: Which versions of axios are affected by this vulnerability?

A3: The CVE-2025-27152 vulnerability affects version 0.21.1.tgz of the axios library. However, it is recommended to upgrade to version 1.8.2 or later to ensure the security of your applications.

Q4: How can I identify if my application is affected by this vulnerability?

A4: To identify if your application is affected by this vulnerability, you can:

• Check the version of axios used in your application.
• Review the code to ensure that absolute URLs are not being passed to axios.
• Use a vulnerability scanner or a security tool to identify potential vulnerabilities.

Q5: What is the recommended fix for this vulnerability?

A5: The recommended fix for this vulnerability is to upgrade the version of axios to 1.8.2 or later. This fix is available on GitHub, and the release date is March 7, 2025.

Q6: Can I patch the vulnerable version of axios instead of upgrading to a newer version?

A6: It is not recommended to patch the vulnerable version of axios, as this may introduce additional security risks. Instead, it is recommended to upgrade to a newer version of axios that has been patched and secured.

Q7: How can I prevent similar vulnerabilities in the future?

A7: To prevent similar vulnerabilities in the future, you can:

• Regularly review and update your dependencies to ensure they are secure.
• Use a vulnerability scanner or a security tool to identify potential vulnerabilities.
• Follow best practices for secure coding and development.

Q8: What is the CVSS 3 score for this vulnerability?

A8: The CVSS 3 score for this vulnerability is 5.5, indicating a medium severity vulnerability.

Q9: Can I use a different HTTP client library instead of axios?

A9: Yes, you can use a different HTTP client library instead of axios. However, it is recommended to choose a library that has been thoroughly tested and secured.

Q10: Where can I find more information about this vulnerability?

A10: You can find more information about this vulnerability on the following resources:

• CVE-2025-27152 vulnerability page on the National Vulnerability Database (NVD)
• GitHub advisory for the axios library
• Mend.io vulnerability database

Conclusion

In conclusion, the CVE-2025-27152 vulnerability in the axios-0.21.1.tgz library is a critical issue that requires immediate attention. By understanding the impact and recommended fix for this vulnerability, developers can ensure the security of their applications and prevent potential attacks.