Skip to content

[APS-18718] fix: update axios to ^1.15.0 to resolve SSRF via NO_PROXY bypass#1079

Open
avinash-bharti wants to merge 1 commit intomasterfrom
fix/APS-18718-update-axios-ssrf
Open

[APS-18718] fix: update axios to ^1.15.0 to resolve SSRF via NO_PROXY bypass#1079
avinash-bharti wants to merge 1 commit intomasterfrom
fix/APS-18718-update-axios-ssrf

Conversation

@avinash-bharti
Copy link
Copy Markdown
Collaborator

@avinash-bharti avinash-bharti commented Apr 16, 2026

Security Fix: APS-18718

Issue

Axios has a NO_PROXY Hostname Normalization Bypass that leads to SSRF (CVE-2025-62718 / GHSA-3p68-rc4w-qgx5).

Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This allows attackers to force requests through a proxy even if NO_PROXY is set up to protect loopback or internal services, leading to potential SSRF.

Root Cause

Axios performs a literal string comparison instead of normalizing hostnames before checking NO_PROXY. Per RFC 1034 and RFC 3986, localhost. (with trailing dot) is equivalent to localhost at the DNS level, and [::1] is the IPv6 loopback. Axios fails to normalize these before matching, causing requests to bypass NO_PROXY rules.

Fix Applied

  • Updated axios dependency in package.json from ^1.7.7 to ^1.15.0
  • Version 1.15.0 includes the fix for hostname normalization before NO_PROXY evaluation
  • This is a semver-compatible minor version bump within the 1.x major version

Testing

  • Unit tests: Need to be run manually (npm test) -- automated execution was blocked in this session
  • BrowserStack Cypress session: Needs manual verification -- run browserstack-cypress run with valid credentials to confirm the CLI still works end-to-end after the axios bump

BrowserStack Session Sanity (mandatory for session repos):

  • API-verified status: BLOCKED -- Bash execution unavailable in automated session; manual verification required
  • Session URL: N/A (pending manual test)
  • Browser/OS/Framework: Cypress / Chrome / Windows 11 (recommended for manual test)
  • Screenshot: N/A

Manual testing steps:

  1. Checkout this branch: git checkout fix/APS-18718-update-axios-ssrf
  2. Run npm install to resolve the updated axios version
  3. Run npm test to verify unit tests pass
  4. Run a Cypress test on BrowserStack: browserstack-cypress run --username $BROWSERSTACK_USERNAME --key $BROWSERSTACK_ACCESS_KEY
  5. Verify the session completes successfully on the BrowserStack dashboard

Risk Assessment

  • Minor version bump (1.7.x -> 1.15.x) within same major version
  • Axios follows semver; backward-compatible changes only
  • The CLI uses axios for BrowserStack API calls -- core HTTP functionality is preserved

Jira Ticket

https://browserstack.atlassian.net/browse/APS-18718

Advisory

GHSA-3p68-rc4w-qgx5

Checklist

  • Security issue addressed (axios updated to patched version)
  • Unit/integration tests passing (manual run required)
  • BrowserStack session run and API-verified (manual run required)
  • README/docs updated if needed (no changes needed)

@avinash-bharti
fix(security): update axios to ^1.15.0 to fix SSRF via NO_PROXY bypas…
38798b9 
…s [APS-18718]

- Bump axios from ^1.7.7 to ^1.15.0
- Fixes CVE-2025-62718 / GHSA-3p68-rc4w-qgx5
- Axios did not normalize hostnames when checking NO_PROXY rules,
  allowing requests to loopback addresses (localhost., [::1]) to
  bypass NO_PROXY and go through the configured proxy (SSRF risk)

Resolves: APS-18718
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@avinash-bharti