Axios Proxy Bypass Vulnerability Allowing SSRF via NO_PROXY Hostname Normalization Issue

A vulnerability in Axios prior to version 1.15.0 allows for proxy bypass and server-side request forgery (SSRF) by incorrectly handling hostname normalization when applying NO_PROXY rules. This issue affects requests to loopback addresses, such as 'localhost.' (with a trailing dot) or '[::1]' (IPv6 literal), which are improperly proxied despite NO_PROXY being set to protect internal services. The vulnerability arises because Axios performs a literal string comparison of hostnames instead of normalizing them before checking NO_PROXY, leading to unintended proxy usage for loopback addresses.

Impact

Exploitation of this vulnerability causes requests to loopback addresses to be routed through an attacker-controlled proxy, bypassing NO_PROXY protections and potentially allowing access to sensitive internal services.

Reproduction

The vulnerability can be reproduced by setting the HTTP_PROXY environment variable to point to a local proxy server and configuring NO_PROXY to exclude localhost and IPv6 loopback addresses. When Axios is used to send a request to 'http://localhost.:8080/' or 'http://[::1]:8080/', the request is incorrectly proxied, demonstrating the normalization bypass.

Remediation

Users can update to Axios version 1.15.0 or later, where this vulnerability has been fixed.