Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
Mend.io Vulnerability Database
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
We found results for “”
CVE-2025-27152
Good to know:
Date: March 7, 2025
axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios. This issue is fixed in 1.8.2.
Severity Score
Related Resources (9)
Severity Score
Weakness Type (CWE)
Server-Side Request Forgery (SSRF)
CWE-918Top Fix
Upgrade Version
Upgrade to version axios - 1.8.2;axios - 0.30.0;kraenkvisuell/nova-cms-media - v1.2.2;kraenkvisuell/nova-cms-media - v1.0.3;kraenkvisuell/nova-cms-media - no_fix;comsa/sulu-reservations - 2.1.8;comsa/sulu-reservations - 3.1.2;comsa/sulu-reservations - 3.0.0;comsa/sulu-reservations - 2.0.1;comsa/sulu-reservations - 1.0.2;Indianadavy.VueJsWebAPITemplate.CSharp - 1.0.1;mmi/mmi-cms - 2.3.1;jeffersonpereira/realestatelaravel - dev-feat/REL-1-support-mass-download-images;jeffersonpereira/realestatelaravel - 1.3.21;jeffersonpereira/realestatelaravel - 1.3.7;jeffersonpereira/realestatelaravel - no_fix;jeffersonpereira/realestatelaravel - 1.2.4;jeffersonpereira/realestatelaravel - 1.3.18;jeffersonpereira/realestatelaravel - 1.0.11;jeffersonpereira/realestatelaravel - 1.3.0;jeffersonpereira/realestatelaravel - 1.3.15;jeffersonpereira/realestatelaravel - 1.1.1;axistrustee/compliance-overview - dev-report;postboxcms/postbox - dev-dependabot/npm_and_yarn/ws-6.2.2;postboxcms/postbox - dev-sanketraut-patch-1;postboxcms/postbox - dev-feature/ISSUE-39;postboxcms/postbox - dev-dependabot/npm_and_yarn/url-parse-1.5.10;postboxcms/postbox - dev-dependabot/npm_and_yarn/browserslist-4.16.6;postboxcms/postbox - dev-package/dbo;artincms/laravel_visitable - no_fix;katanox/katanox-php - no_fix;katanox/katanox-php - dev-source-of-booking;katanox/katanox-php - dev-feat/PS4-525/updates-in-availability-flow;katanox/katanox-php - dev-temp;electrscash - 1.1.1;doccano - 1.8.4;juice-lang/juicelang.org - dev-dependabot/npm_and_yarn/dot-github/actions/deploy-action/actions/core-1.9.1;juice-lang/juicelang.org - dev-dependabot/npm_and_yarn/dot-github/actions/deploy-action/node-fetch-2.6.7;juice-lang/juicelang.org - dev-dependabot/npm_and_yarn/dot-github/actions/deploy-action/axios-0.21.2;g4t/laravel-multithread - no_fix;besnik/laravel-filtering - no_fix;yivic/yivic-elce - no_fix;archambaultalex/image-field - no_fix;laraxot/module_job_fila3 - dev-dependabot/npm_and_yarn/postcss-8.4.43;laraxot/module_job_fila3 - dev-dependabot/npm_and_yarn/postcss-nesting-13.0.0;ginkdev/authentification-module - no_fix;ginkdev/authentification-module - v1.0.0;VueTemplate - no_fix;islandora/islandora_base_theme - dev-bd-d9-updates;islandora/islandora_base_theme - no_fix;islandora/islandora_base_theme - dev-thumbnail-speed-patch;asuwebplatforms/webspark-module-webspark_isearch - dev-WS2-298;asuwebplatforms/webspark-module-webspark_isearch - dev-WS2-708;sombrerodepaja/franky-skeleton-application - dev-dev;sombrerodepaja/franky-skeleton-application - no_fix;scancode/portal-module - dev-dependabot/npm_and_yarn/Resources/assets/coreui/decode-uri-component-0.2.2;scancode/portal-module - dev-dependabot/npm_and_yarn/Resources/assets/coreui/path-parse-1.0.7;scancode/portal-module - v1.0.12;chrisbraybrooke/laravel-ecommerce - dev-form-field-key;chrisbraybrooke/laravel-ecommerce - 0.0.56;chrisbraybrooke/laravel-ecommerce - 0.0.2;chrisbraybrooke/laravel-ecommerce - 0.0.17;islandora/islandora_starter_theme - dev-don_patch;islandora/islandora_starter_theme - dev-main;islandora/islandora_starter_theme - dev-bd-d9-update;meesy/shopavel - dev-dependabot/npm_and_yarn/dns-packet-1.3.4;meesy/shopavel - dev-dependabot/npm_and_yarn/ansi-regex-5.0.1;meesy/shopavel - dev-dependabot/npm_and_yarn/color-string-1.6.0;meesy/shopavel - dev-master;meesy/shopavel - dev-dependabot/composer/laravel/framework-8.40.0;meesy/shopavel - dev-dependabot/npm_and_yarn/axios-0.21.2;meesy/shopavel - dev-add-code-of-conduct-1;code-server - 3.6.1;artincms/laravel_portfolio - no_fix;insyht/larvelous-shop - no_fix;devsfort/fortblog - no_fix;slackstone/radix_rsvp - no_fix;miljoen/nova-autofill - no_fix;miljoen/nova-autofill - v1.0.0;manelgavalda/enrollment_mobile - dev-analysis-8n0QjG;manelgavalda/enrollment_mobile - dev-analysis-X0yEye;pollen/pollen - dev-shift-ci-v11.28.0;aki/yii2-vue - 0.6.2;yassach/logup - dev-main;yassach/logup - no_fix;xbigdaddyx/falcon - no_fix;xpocketmc/xpocketmp - dev-Dd;xpocketmc/xpocketmp - dev-phpstan-2.0.0;xpocketmc/xpocketmp - dev-notif-manager;xpocketmc/xpocketmp - 6.0.0-BETA1;xpocketmc/xpocketmp - dev-dependabot-fixed;xpocketmc/xpocketmp - dev-pathetique;xpocketmc/xpocketmp - dev-closure-command;xpocketmc/xpocketmp - dev-RAILREDSTONE;lishuang/qiubb - no_fix;disatapp/light-blog - v0.9.5;hexgad/media - no_fix;shirmadov/article-module - no_fix;insyht/larvelous - no_fix;insyht/larvelous - 0.1;oburatongoi/productivity - no_fix;oburatongoi/productivity - 0.0.1;yireo/magento2-admin-react-components - no_fix;acacha/events - 0.1.0;zzzNA.Azure.WebSites.Extension.NA-x64 - no_fix;foxcreator/onlineshop - no_fix;acacha/users - no_fix;rogelio1502/ef-package - 0.0.22;rogelio1502/ef-package - 0.0.47;horizon/description - dev-dependabot/npm_and_yarn/axios-0.21.1;horizon/description - no_fix;pwptemplatepusintek - no_fix;gustavetsopmo/laravel-showcase-module - no_fix;emolinablas/laravel-vue-crud - 1.0.1;lensphp/lens - no_fix;zzzNA.Azure.WebSites.Extension.NA-x86 - no_fix;pollora/pollora - dev-shift-ci-v11.28.1;anupsathya/umd_bootstrap_sass - no_fix;piksera/core - no_fix;antoniosiles/nova-4-card-map-plus - no_fix;NewRelic.Azure.WebSites.Extension.NodeAgent - 12.16.0;artincms/laravel_gallery_system - no_fix;erenilhan/ss2i-openstreetmap-custom - no_fix;CoreVueWebTest - 3.0.101;comsa/sulu-funeral-bundle - no_fix;frankyframework/franky2 - no_fix;haspadar/palto - dev-regions;toanld/laravel-module-vue-admin-panel - no_fix;quickstart/laravel-boilerplate - no_fix;ZLZZ.Azure.WebSites.Extension.NodeAgent - no_fix;andrew-vozniak/pantheon - no_fix;ergare17/articles - dev-analysis-zORoN0;ergare17/articles - no_fix;bizprove/canvas - v1.0;zymawy/ironside-core - dev-utils;zzzNA.Azure.WebSites.Extension.NA - no_fix;guolifu/thunder - v1.0.0;phila088/aphii - no_fix;rotary/rotary_bs4 - no_fix;narirock/marrs-catalog - no_fix;mayronalves/laravel-core - dev-dependabot/composer/symfony/mime-4.4.1;anamcoollzz/stisla - no_fix;boxuk/query-include-exclude - 0.0.4;yireo/module-admin-react-components - no_fix;jalexmelendez/botman-9 - no_fix;artincms/laravel_likeable_system - no_fix;duncanrmorris/clients - no_fix;axios - 0.20.0;axios - 1.8.2;kraenkvisuell/nova-cms-media - v1.2.2;kraenkvisuell/nova-cms-media - v1.0.3;kraenkvisuell/nova-cms-media - no_fix;comsa/sulu-reservations - 2.1.8;comsa/sulu-reservations - 3.1.2;comsa/sulu-reservations - 3.0.0;comsa/sulu-reservations - 2.0.1;comsa/sulu-reservations - 1.0.2;Indianadavy.VueJsWebAPITemplate.CSharp - 1.0.1;mmi/mmi-cms - 2.3.1;jeffersonpereira/realestatelaravel - dev-feat/REL-1-support-mass-download-images;jeffersonpereira/realestatelaravel - 1.3.21;jeffersonpereira/realestatelaravel - 1.3.7;jeffersonpereira/realestatelaravel - no_fix;jeffersonpereira/realestatelaravel - 1.2.4;jeffersonpereira/realestatelaravel - 1.3.18;jeffersonpereira/realestatelaravel - 1.0.11;jeffersonpereira/realestatelaravel - 1.3.0;jeffersonpereira/realestatelaravel - 1.3.15;jeffersonpereira/realestatelaravel - 1.1.1;axistrustee/compliance-overview - dev-report;postboxcms/postbox - dev-dependabot/npm_and_yarn/ws-6.2.2;postboxcms/postbox - dev-sanketraut-patch-1;postboxcms/postbox - dev-feature/ISSUE-39;postboxcms/postbox - dev-dependabot/npm_and_yarn/url-parse-1.5.10;postboxcms/postbox - dev-dependabot/npm_and_yarn/browserslist-4.16.6;postboxcms/postbox - dev-package/dbo;artincms/laravel_visitable - no_fix;katanox/katanox-php - no_fix;katanox/katanox-php - dev-source-of-booking;katanox/katanox-php - dev-feat/PS4-525/updates-in-availability-flow;katanox/katanox-php - dev-temp;electrscash - 1.1.1;doccano - 1.8.4;juice-lang/juicelang.org - dev-dependabot/npm_and_yarn/dot-github/actions/deploy-action/actions/core-1.9.1;juice-lang/juicelang.org - dev-dependabot/npm_and_yarn/dot-github/actions/deploy-action/node-fetch-2.6.7;juice-lang/juicelang.org - dev-dependabot/npm_and_yarn/dot-github/actions/deploy-action/axios-0.21.2;g4t/laravel-multithread - no_fix;besnik/laravel-filtering - no_fix;yivic/yivic-elce - no_fix;archambaultalex/image-field - no_fix;laraxot/module_job_fila3 - dev-dependabot/npm_and_yarn/postcss-8.4.43;laraxot/module_job_fila3 - dev-dependabot/npm_and_yarn/postcss-nesting-13.0.0;ginkdev/authentification-module - no_fix;ginkdev/authentification-module - v1.0.0;VueTemplate - no_fix;islandora/islandora_base_theme - dev-bd-d9-updates;islandora/islandora_base_theme - no_fix;islandora/islandora_base_theme - dev-thumbnail-speed-patch;asuwebplatforms/webspark-module-webspark_isearch - dev-WS2-298;asuwebplatforms/webspark-module-webspark_isearch - dev-WS2-708;sombrerodepaja/franky-skeleton-application - dev-dev;sombrerodepaja/franky-skeleton-application - no_fix;scancode/portal-module - dev-dependabot/npm_and_yarn/Resources/assets/coreui/decode-uri-component-0.2.2;scancode/portal-module - dev-dependabot/npm_and_yarn/Resources/assets/coreui/path-parse-1.0.7;scancode/portal-module - v1.0.12;chrisbraybrooke/laravel-ecommerce - dev-form-field-key;chrisbraybrooke/laravel-ecommerce - 0.0.56;chrisbraybrooke/laravel-ecommerce - 0.0.2;chrisbraybrooke/laravel-ecommerce - 0.0.17;islandora/islandora_starter_theme - dev-don_patch;islandora/islandora_starter_theme - dev-main;islandora/islandora_starter_theme - dev-bd-d9-update;meesy/shopavel - dev-dependabot/npm_and_yarn/dns-packet-1.3.4;meesy/shopavel - dev-dependabot/npm_and_yarn/ansi-regex-5.0.1;meesy/shopavel - dev-dependabot/npm_and_yarn/color-string-1.6.0;meesy/shopavel - dev-master;meesy/shopavel - dev-dependabot/composer/laravel/framework-8.40.0;meesy/shopavel - dev-dependabot/npm_and_yarn/axios-0.21.2;meesy/shopavel - dev-add-code-of-conduct-1;code-server - 3.6.1;artincms/laravel_portfolio - no_fix;insyht/larvelous-shop - no_fix;devsfort/fortblog - no_fix;slackstone/radix_rsvp - no_fix;miljoen/nova-autofill - no_fix;miljoen/nova-autofill - v1.0.0;manelgavalda/enrollment_mobile - dev-analysis-8n0QjG;manelgavalda/enrollment_mobile - dev-analysis-X0yEye;pollen/pollen - dev-shift-ci-v11.28.0;aki/yii2-vue - 0.6.2;yassach/logup - dev-main;yassach/logup - no_fix;xbigdaddyx/falcon - no_fix;xpocketmc/xpocketmp - dev-Dd;xpocketmc/xpocketmp - dev-phpstan-2.0.0;xpocketmc/xpocketmp - dev-notif-manager;xpocketmc/xpocketmp - 6.0.0-BETA1;xpocketmc/xpocketmp - dev-dependabot-fixed;xpocketmc/xpocketmp - dev-pathetique;xpocketmc/xpocketmp - dev-closure-command;xpocketmc/xpocketmp - dev-RAILREDSTONE;lishuang/qiubb - no_fix;disatapp/light-blog - v0.9.5;hexgad/media - no_fix;shirmadov/article-module - no_fix;insyht/larvelous - no_fix;insyht/larvelous - 0.1;oburatongoi/productivity - no_fix;oburatongoi/productivity - 0.0.1;yireo/magento2-admin-react-components - no_fix;acacha/events - 0.1.0;zzzNA.Azure.WebSites.Extension.NA-x64 - no_fix;foxcreator/onlineshop - no_fix;acacha/users - no_fix;rogelio1502/ef-package - 0.0.22;rogelio1502/ef-package - 0.0.47;horizon/description - dev-dependabot/npm_and_yarn/axios-0.21.1;horizon/description - no_fix;pwptemplatepusintek - no_fix;gustavetsopmo/laravel-showcase-module - no_fix;emolinablas/laravel-vue-crud - 1.0.1;lensphp/lens - no_fix;zzzNA.Azure.WebSites.Extension.NA-x86 - no_fix;pollora/pollora - dev-shift-ci-v11.28.1;anupsathya/umd_bootstrap_sass - no_fix;piksera/core - no_fix;antoniosiles/nova-4-card-map-plus - no_fix;NewRelic.Azure.WebSites.Extension.NodeAgent - 12.16.0;artincms/laravel_gallery_system - no_fix;erenilhan/ss2i-openstreetmap-custom - no_fix;CoreVueWebTest - 3.0.101;comsa/sulu-funeral-bundle - no_fix;frankyframework/franky2 - no_fix;haspadar/palto - dev-regions;toanld/laravel-module-vue-admin-panel - no_fix;quickstart/laravel-boilerplate - no_fix;ZLZZ.Azure.WebSites.Extension.NodeAgent - no_fix;andrew-vozniak/pantheon - no_fix;ergare17/articles - dev-analysis-zORoN0;ergare17/articles - no_fix;bizprove/canvas - v1.0;zymawy/ironside-core - dev-utils;zzzNA.Azure.WebSites.Extension.NA - no_fix;guolifu/thunder - v1.0.0;phila088/aphii - no_fix;rotary/rotary_bs4 - no_fix;narirock/marrs-catalog - no_fix;mayronalves/laravel-core - dev-dependabot/composer/symfony/mime-4.4.1;anamcoollzz/stisla - no_fix;boxuk/query-include-exclude - 0.0.4;yireo/module-admin-react-components - no_fix;jalexmelendez/botman-9 - no_fix;artincms/laravel_likeable_system - no_fix;duncanrmorris/clients - no_fix;org.webjars.npm:axios:1.8.3;org.webjars.npm:github-com-axios-axios:no_fix;org.webjars.npm:github-com-mzabriskie-axios:no_fix;org.webjars.npm:axios:1.8.3;org.webjars.npm:axios:0.26.1;org.webjars.npm:github-com-axios-axios:no_fix;org.webjars.npm:github-com-mzabriskie-axios:no_fix;https://github.com/axios/axios.git - v1.8.2;https://github.com/axios/axios.git - v0.30.0
CVSS v3.1
| Base Score: |
|
|---|---|
| Attack Vector (AV): | NETWORK |
| Attack Complexity (AC): | LOW |
| Privileges Required (PR): | NONE |
| User Interaction (UI): | NONE |
| Scope (S): | UNCHANGED |
| Confidentiality (C): | HIGH |
| Integrity (I): | NONE |
| Availability (A): | NONE |