Bug 2350618 (CVE-2025-27152)

Summary: CVE-2025-27152 axios: Possible SSRF and Credential Leakage via Absolute URL in axios Requests
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abarbaro, abrianik, abuckta, adudiak, ahrabovs, alcohan, alizardo, anjoseph, aucunnin, bbrownin, bdettelb, brasmith, brking, carogers, caswilli, chfoley, cmah, cmiranda, cochase, crizzo, dfreiber, dhanak, dkuc, doconnor, dranck, drosa, drow, dsimansk, dymurray, eaguilar, ebaron, erezende, eric.wittmann, fdeutsch, fjansen, ggrzybek, gkamathe, gmalinko, gparvin, gtanzill, haoli, hkataria, ibek, ibolton, jajackso, janstey, jbalunas, jburrell, jcammara, jchui, jeder, jforrest, jhe, jkoehler, jmatthew, jmitchel, jmontleo, jneedle, jolong, jprabhak, jrokos, jscholz, jwendell, jwong, kaycoth, kegrant, kingland, koliveir, kshier, ktsao, kverlaen, lball, lchilton, lphiri, mabashia, matzew, mnovotny, mstoklus, nboldt, ngough, nipatil, njean, omaciel, orabin, oramraz, owatkins, pahickey, pantinor, parichar, pbraun, pcongius, pdelbell, pgaikwad, pierdipi, pjindal, porcelli, psrna, rcernich, rguimara, rhaigner, rhuss, rjohnson, rkubis, rstepani, sausingh, sdawley, sfeifer, sfroberg, shvarugh, simaishi, slucidi, smcdonal, smullick, sseago, stcannon, stirabos, swoodman, tasato, teagle, tfister, thason, thavo, ttakamiy, veshanka, vkumar, wtam, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was discovered in Axios. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if ⁠`baseURL` is set, axios sends the request to the specified absolute URL, which can potentially lead to server-side request forgery (SSRF). This issue impacts both server-side and client-side usage of axios.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-03-07 16:01:09 UTC 
axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios. This issue is fixed in 1.8.2.