CVE-2026-25639 – Axios Server-Side Request Forgery Vulnerability
“A trusted HTTP client can become a silent bridge for attackers to reach internal systems that were never meant to be exposed.”
A vulnerability in Axios, the widely used JavaScript HTTP client library, tracked as CVE-2026-25639, exposes applications to Server-Side Request Forgery (SSRF) attacks. The issue arises from improper validation of user-supplied URLs when Axios processes requests. If an application passes untrusted input directly into Axios request functions, an attacker may force the server to initiate requests to unintended internal or external resources.
This vulnerability carries a CVSS v3.1 score of 7.5 (High). It can be exploited remotely over the network without requiring authentication. Successful exploitation may allow attackers to probe internal services, access sensitive metadata endpoints, or interact with systems that are normally protected behind firewalls. In cloud environments, this could expose internal APIs or instance metadata services.
Axios maintainers addressed the issue in updated releases that strengthen URL validation and request handling logic to prevent malicious redirection or unsafe internal network access.
Key Details
- Affected Product
- Axios Axios
- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- CWE Classification
- CWE-754