CVE-2025-27152 (Medium) Detected In Axios-0.18.1.tgz, Axios-0.19.2.tgz

CVE-2025-27152 (Medium) Detected in axios-0.18.1.tgz and axios-0.19.2.tgz: A Critical Vulnerability in Popular HTTP Client Library

Introduction

In the ever-evolving landscape of software development, security vulnerabilities can have a significant impact on the integrity and reliability of applications. One such vulnerability, CVE-2025-27152, has been detected in the popular HTTP client library, axios. This article will delve into the details of this vulnerability, its impact, and the suggested fix to ensure the security of your applications.

CVE-2025-27152 - Medium Severity Vulnerability

Vulnerable Libraries

The vulnerability has been detected in two versions of the axios library: axios-0.18.1.tgz and axios-0.19.2.tgz.

axios-0.18.1.tgz

• Promise based HTTP client for the browser and node.js
• Library home page: https://registry.npmjs.org/axios/-/axios-0.18.1.tgz
• Path to dependency file: /package.json
• Path to vulnerable library: /node_modules/axios/package.json

Dependency Hierarchy:

• webhook-5.0.2.tgz (Root Library)
  • :x: axios-0.18.1.tgz (Vulnerable Library)

axios-0.19.2.tgz

• Promise based HTTP client for the browser and node.js
• Library home page: https://registry.npmjs.org/axios/-/axios-0.19.2.tgz
• Path to dependency file: /package.json
• Path to vulnerable library: /node_modules/@slack/web-api/node_modules/axios/package.json,/node_modules/@slack/oauth/node_modules/axios/package.json,/node_modules/@slack/bolt/node_modules/axios/package.json

Dependency Hierarchy:

• bolt-2.3.0.tgz (Root Library)
  • :x: axios-0.19.2.tgz (Vulnerable Library)

Vulnerability Details

The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF (Server-Side Request Forgery) and credential leakage. This issue impacts both server-side and client-side usage of axios.

CVSS 3 Score Details

The CVSS 3 score for this vulnerability is 5.5.

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

The suggested fix for this vulnerability is to upgrade the version of axios to 0.20.0.

Type: Upgrade version Origin: https://github.com/advisories/GHSA-jr5f-v2jv-69x6 Release Date: 2025-03-07 Fix Resolution (axios): 0.20.0 Direct dependency fix Resolution (@slack/webhook): 5.0.4 Direct dependency fix Resolution (@slack/bolt): 2.6.0

Conclusion

In conclusion, the CVE-2025-27152 vulnerability in axios-0.18.1.tgz and axios-0.19.2.tgz is a critical issue that can have significant consequences if left unaddressed. It is essential to upgrade the version of axios to 0.20.0 to ensure the security of your applications. By taking proactive measures to address this vulnerability, you can help prevent potential security breaches and maintain the integrity of your applications.

Recommendations

• Upgrade axios to 0.20.0 to address the CVE-2025-27152 vulnerability.
• Regularly review and update dependencies to ensure the security of your applications.
• Implement a robust vulnerability management process to identify and address potential security issues.

By following these recommendations, you can help ensure the security and reliability of your applications and prevent potential security breaches.
CVE-2025-27152 (Medium) Detected in axios-0.18.1.tgz and axios-0.19.2.tgz: A Critical Vulnerability in Popular HTTP Client Library - Q&A

Introduction

In our previous article, we discussed the CVE-2025-27152 vulnerability in the popular HTTP client library, axios. This vulnerability has significant implications for the security of applications that use axios. In this article, we will answer some frequently asked questions about this vulnerability to help you better understand its impact and how to address it.

Q&A

Q: What is the CVE-2025-27152 vulnerability?

A: The CVE-2025-27152 vulnerability is a critical issue in the axios library that allows an attacker to perform Server-Side Request Forgery (SSRF) and credential leakage. This vulnerability occurs when passing absolute URLs rather than protocol-relative URLs to axios.

Q: Which versions of axios are affected by this vulnerability?

A: The CVE-2025-27152 vulnerability affects two versions of axios: axios-0.18.1.tgz and axios-0.19.2.tgz.

Q: What is the impact of this vulnerability?

A: The impact of this vulnerability is significant. An attacker can use this vulnerability to perform SSRF and credential leakage, potentially leading to unauthorized access to sensitive data.

Q: How can I identify if my application is affected by this vulnerability?

A: To identify if your application is affected by this vulnerability, you can check the version of axios being used in your application. If you are using axios-0.18.1.tgz or axios-0.19.2.tgz, you are likely affected by this vulnerability.

Q: What is the suggested fix for this vulnerability?

A: The suggested fix for this vulnerability is to upgrade the version of axios to 0.20.0.

Q: How can I upgrade axios to 0.20.0?

A: To upgrade axios to 0.20.0, you can follow these steps:

1. Check the version of axios being used in your application.
2. If you are using axios-0.18.1.tgz or axios-0.19.2.tgz, upgrade to axios-0.20.0.
3. Update your application's dependencies to reflect the new version of axios.

Q: Are there any other dependencies that need to be updated?

A: Yes, if you are using axios-0.19.2.tgz, you may also need to update the following dependencies:

• @slack/webhook: upgrade to 5.0.4
• @slack/bolt: upgrade to 2.6.0

Q: How can I ensure that my application is secure after upgrading axios?

A: To ensure that your application is secure after upgrading axios, you should:

1. Regularly review and update dependencies to ensure the security of your application.
2. Implement a robust vulnerability management process to identify and address potential security issues.
3. Monitor your application's logs and performance to detect any potential security issues.

Conclusion

In conclusion, the CVE-2025-27152 vulnerability in axios-0.18.1.tgz and axios-0.19.2.tgz is a critical issue that requires immediate attention. By understanding the impact of this vulnerability and following the suggested fix, you can help ensure the security of your application. Remember to regularly review and update dependencies, implement a robust vulnerability management process, and monitor your application's logs and performance to detect any potential security issues.

Recommendations

• Upgrade axios to 0.20.0 to address the CVE-2025-27152 vulnerability.
• Regularly review and update dependencies to ensure the security of your application.
• Implement a robust vulnerability management process to identify and address potential security issues.
• Monitor your application's logs and performance to detect any potential security issues.