[Pkg-javascript-devel] Bug#1102223: node-axios: CVE-2025-27152
Salvatore Bonaccorso
carnil at debian.org
Sun Apr 6 15:32:35 BST 2025
Source: node-axios
Version: 1.7.9+dfsg-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for node-axios.
CVE-2025-27152[0]:
| axios is a promise based HTTP client for the browser and node.js.
| The issue occurs when passing absolute URLs rather than protocol-
| relative URLs to axios. Even if baseURL is set, axios sends the
| request to the specified absolute URL, potentially causing SSRF and
| credential leakage. This issue impacts both server-side and client-
| side usage of axios. This issue is fixed in 1.8.2.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-27152
https://www.cve.org/CVERecord?id=CVE-2025-27152
[1] https://github.com/axios/axios/security/advisories/GHSA-jr5f-v2jv-69x6
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-javascript-devel
mailing list