[GHSA-3p68-rc4w-qgx5] Axios has a NO_PROXY Hostname Normalization Bypass Leads to SSRF

[Wenxin-Jiang]

Updates

• Affected products
• References

Comments
The advisory currently marks axios as affected for < 1.15.0, with 1.15.0 listed as patched. That correctly captures the fixed boundary for the 1.x line, but it does not account for the 0.x backport: v0.31.0 is currently included in the affected range even though it contains the same NO_PROXY fix.

v0.31.0 includes the NO_PROXY fix via the same backport that carried the CRLF fix

On the 1.x line, the NO_PROXY fix shipped in v1.15.0 via commit fb3befb6daac6cad26b2e54094d0f2d9e47f24df (PR #10661, "fix: no_proxy hostname normalization bypass leads to ssrf"). That change introduces lib/helpers/shouldBypassProxy.js, which adds logic to:

• normalizeNoProxyHost(hostname), which strips a trailing . and removes [] brackets from IPv6 literals before comparison.
• isLoopbackHost(hostname), which treats localhost, ::1, and IPv4 loopback addresses (127.0.0.0/8) as equivalent for NO_PROXY matching.

That same logic was backported to the 0.x line in commit 03cdfc99e8db32a390e12128208b6778492cee9c (PR #10688, "fix: backport the fixes from the v1 branch"). This is the same backport commit that also carried the CRLF header injection fix tracked under GHSA-fvcv-3m26-pcqx; PR #10688 includes both fixes together.

Specifically:

• lib/helpers/shouldBypassProxy.js is added in 03cdfc99 and first appears in v0.31.0; it is not present in v0.30.x.
• The v0.31.0 implementation contains the same normalizeNoProxyHost and isLoopbackHost logic as the 1.x version, adapted to CommonJS but functionally equivalent.
• lib/adapters/http.js is updated in the same backport commit to use the new helper.

As a result, consumers on v0.31.0 are not affected by this NO_PROXY bypass. The advisory should therefore represent the 0.x line separately, with < 0.31.0 listed as affected and 0.31.0 listed as patched.

Proposed changes

• Add a separate affected range for 0.x:

  • affected: < 0.31.0
  • patched: 0.31.0

  This reflects the backport in commit 03cdfc99e8db32a390e12128208b6778492cee9c (PR #10688), which shipped in v0.31.0 and added lib/helpers/shouldBypassProxy.js with the same hostname-normalization and loopback-handling behavior as the 1.x fix.

• Keep the existing 1.x range:

  • affected: < 1.15.0
  • patched: 1.15.0

• Add supporting references:

  • fb3befb6daac6cad26b2e54094d0f2d9e47f24df (PR #10661)
  • 03cdfc99e8db32a390e12128208b6778492cee9c (PR #10688)
  • the v1.15.0 release tag

Without the separate 0.x range, v0.31.0 is incorrectly flagged as affected despite already containing the backported fix.

[github]

Hi there @jasonsaayman! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory