What happened?
While working on rnx-kit project, I scanned the dependency manifest and found that the application uses a vulnerable version of axios affected by CVE-2025-62718. This vulnerability allows bypassing NO_PROXY rules due to improper hostname normalization (e.g., localhost. or [::1]). As a result, requests intended to bypass proxies may instead be routed through a proxy, potentially exposing sensitive internal services and leading to SSRF risks.
CVE Report
CVE Link
Affected Package
<1.15.0
Version
1.15.0
Which platforms are you seeing this issue on?
System Information
Steps to Reproduce
Observe that the request is routed through the proxy instead of bypassing it
Code of Conduct
What happened?
While working on rnx-kit project, I scanned the dependency manifest and found that the application uses a vulnerable version of axios affected by CVE-2025-62718. This vulnerability allows bypassing NO_PROXY rules due to improper hostname normalization (e.g., localhost. or [::1]). As a result, requests intended to bypass proxies may instead be routed through a proxy, potentially exposing sensitive internal services and leading to SSRF risks.
CVE Report
CVE Link
Affected Package
<1.15.0
Version
1.15.0
Which platforms are you seeing this issue on?
System Information
Steps to Reproduce
Observe that the request is routed through the proxy instead of bypassing it
Code of Conduct