CVE-2025-27152 (Medium) Detected In Axios-0.21.1.tgz
CVE-2025-27152 (Medium) Detected in axios-0.21.1.tgz: A Critical Vulnerability in a Popular HTTP Client Library
Introduction
In the ever-evolving landscape of software development, vulnerabilities in popular libraries can have far-reaching consequences. One such vulnerability has been detected in the axios-0.21.1.tgz library, a widely used promise-based HTTP client for the browser and node.js. In this article, we will delve into the details of the CVE-2025-27152 vulnerability, its impact, and the suggested fix.
CVE-2025-27152 - Medium Severity Vulnerability
The axios library is a crucial component in many web applications, enabling developers to make HTTP requests with ease. However, a recent vulnerability has been discovered in the axios-0.21.1.tgz version, which can lead to Server-Side Request Forgery (SSRF) and credential leakage. This issue arises when passing absolute URLs rather than protocol-relative URLs to axios, even if the baseURL is set.
The axios library is a promise-based HTTP client for the browser and node.js.
The axios library is a promise-based HTTP client for the browser and node.js.
Library home page: https://registry.npmjs.org/axios/-/axios-0.21.1.tgz
Library home page: https://registry.npmjs.org/axios/-/axios-0.21.1.tgz
Path to dependency file: /node_modules/axios/package.json
Path to dependency file: /node_modules/axios/package.json
Path to vulnerable library: /node_modules/axios/package.json
Path to vulnerable library: /node_modules/axios/package.json
Dependency Hierarchy
The axios library is part of a larger dependency hierarchy, which includes the chromedriver-89.0.0.tgz library as the root library.
Dependency Hierarchy:
- chromedriver-89.0.0.tgz (Root Library)
- :x: axios-0.21.1.tgz (Vulnerable Library)
Found in HEAD Commit
The CVE-2025-27152 vulnerability was found in the HEAD commit of the snowdensb/vets-website repository.
Found in HEAD commit: https://github.com/snowdensb/vets-website/commit/ca255a4489b5c937cfb850ddee46dc5b8c99d85e
Found in HEAD commit: https://github.com/snowdensb/vets-website/commit/ca255a4489b5c937cfb850ddee46dc5b8c99d85e
Found in Base Branch
The vulnerability was also found in the master branch of the repository.
Found in base branch: master
Found in base branch: master
Vulnerability Details
The axios library is a promise-based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios. This issue is fixed in 1.8.2.
axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios. This issue is fixed in 1.8.2.
Publish Date and URL
The CVE-2025-27152 vulnerability was published on 2025-03-07 and can be found on the Mend.io vulnerability database.
Publish Date: 2025-03-07
Publish Date: 2025-03-07
URL: https://www.mend.io/vulnerability-database/CVE-2025-27152
URL: https://www.mend.io/vulnerability-database/CVE-2025-27152
CVSS 3 Score Details
The CVE-2025-27152 vulnerability has a CVSS 3 score of 5.5, indicating a medium severity vulnerability.
CVSS 3 Score Details (5.5)
- Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
- Exploitability Metrics:
Suggested Fix
The suggested fix for the CVE-2025-27152 vulnerability is to upgrade the axios library to version 1.8.2.
Suggested Fix
- Type: Upgrade version
- Release Date: 2025-03-07
- Fix Resolution: v1.8.2
In conclusion, the CVE-2025-27152 vulnerability in the axios-0.21.1.tgz library is a critical issue that can lead to SSRF and credential leakage. It is essential to upgrade the axios library to version 1.8.2 to mitigate this vulnerability.
CVE-2025-27152 (Medium) Detected in axios-0.21.1.tgz: A Critical Vulnerability in a Popular HTTP Client Library - Q&A
Introduction
In our previous article, we discussed the CVE-2025-27152 vulnerability in the axios-0.21.1.tgz library, a widely used promise-based HTTP client for the browser and node.js. In this article, we will address some of the frequently asked questions (FAQs) related to this vulnerability.
Q&A
Q: What is the CVE-2025-27152 vulnerability?
A: The CVE-2025-27152 vulnerability is a medium severity vulnerability in the axios-0.21.1.tgz library, which can lead to Server-Side Request Forgery (SSRF) and credential leakage.
Q: What is the impact of the CVE-2025-27152 vulnerability?
A: The CVE-2025-27152 vulnerability can impact both server-side and client-side usage of axios, potentially causing SSRF and credential leakage.
Q: How does the CVE-2025-27152 vulnerability occur?
A: The CVE-2025-27152 vulnerability occurs when passing absolute URLs rather than protocol-relative URLs to axios, even if the baseURL is set.
Q: What is the suggested fix for the CVE-2025-27152 vulnerability?
A: The suggested fix for the CVE-2025-27152 vulnerability is to upgrade the axios library to version 1.8.2.
Q: What is the CVSS 3 score of the CVE-2025-27152 vulnerability?
A: The CVSS 3 score of the CVE-2025-27152 vulnerability is 5.5, indicating a medium severity vulnerability.
Q: What is the impact of the CVE-2025-27152 vulnerability on confidentiality, integrity, and availability?
A: The CVE-2025-27152 vulnerability has a high impact on availability, but no impact on confidentiality and integrity.
Q: What is the recommended course of action for developers who are using the axios-0.21.1.tgz library?
A: Developers who are using the axios-0.21.1.tgz library should upgrade to version 1.8.2 as soon as possible to mitigate the CVE-2025-27152 vulnerability.
Q: Can the CVE-2025-27152 vulnerability be exploited remotely?
A: No, the CVE-2025-27152 vulnerability cannot be exploited remotely. It requires user interaction to exploit.
Q: What is the recommended way to prevent the CVE-2025-27152 vulnerability?
A: The recommended way to prevent the CVE-2025-27152 vulnerability is to use protocol-relative URLs when making requests with axios and to upgrade to version 1.8.2.
Conclusion
The CVE-2025-27152 vulnerability in the axios-0.21.1.tgz library is a critical issue that can lead to SSRF and credential leakage. It is essential to upgrade the axios library to version 1.8.2 to mitigate this vulnerability. We hope that this Q&A article has provided valuable information to help developers understand and address this vulnerability.
Additional Resources
Stay Informed
To stay informed about the latest security vulnerabilities and updates, follow us on social media or sign up for our newsletter.