Skip to content

fix: bump axios to ^1.15.0 to patch NO_PROXY SSRF bypass (PMAA-94)#270

Merged
gaurav-singh-9227 merged 2 commits intobrowserstack:mainfrom
ruturaj-browserstack:fix/axios-ssrf-PMAA-94
Apr 13, 2026
Merged

fix: bump axios to ^1.15.0 to patch NO_PROXY SSRF bypass (PMAA-94)#270
gaurav-singh-9227 merged 2 commits intobrowserstack:mainfrom
ruturaj-browserstack:fix/axios-ssrf-PMAA-94

Conversation

@ruturaj-browserstack
Copy link
Copy Markdown
Collaborator

@ruturaj-browserstack ruturaj-browserstack commented Apr 13, 2026
edited
Loading

Summary

Vulnerability

Axios <1.15.0 did a literal string comparison against NO_PROXY and did not normalize hostnames. Requests to http://localhost.:PORT/ (trailing dot) or http://[::1]:PORT/ (IPv6 literal) skipped NO_PROXY matching and were routed through the configured proxy — enabling SSRF / proxy-bypass when apps relied on NO_PROXY=localhost,127.0.0.1,::1 to protect loopback services.

Fixed upstream by axios/axios#10661, released in v1.15.0.

Changes

  • package.json: axios: "^1.14.0""^1.15.0"
  • package-lock.json: regenerated for axios 1.15.0

No source changes required — the fix lives inside axios' NO_PROXY evaluation logic, which our src/lib/apiClient.ts wrapper consumes transparently.

Impact assessment

  • axios 1.15.0 is a minor release over 1.14.0 (no breaking API changes per axios changelog).
  • Our repo's only axios consumers are src/lib/apiClient.ts and src/lib/error.ts (+ a test file). The public surface (AxiosRequestConfig, AxiosResponse, axios.create, per-verb methods, httpsAgent) is unchanged.
  • Typechecker (tsc --noEmit) passes clean.
  • Full test suite: 16 files / 123 tests passing.
  • npm audit surfaces 4 other unrelated advisories (vite, hono, @hono/node-server, basic-ftp) — out of scope for this ticket.

Verification

Ran a local verification harness (not committed) against the upgraded axios:

  1. Basic GET still worksaxios.get("https://api.github.com/zen")200 OK
  2. NO_PROXY bypass fix confirmed — started a local proxy, set HTTP_PROXY=http://127.0.0.1:<port> and NO_PROXY=localhost,127.0.0.1,::1, then issued requests to http://localhost.:9999/ and http://[::1]:9999/. The proxy received zero hits, confirming axios 1.15.0 correctly normalizes trailing-dot hostnames and IPv6 literals before matching NO_PROXY. On axios 1.14.0 both requests would have been routed to the proxy. ✅
axios version: 1.15.0
[OK] Basic GET: 200 "Practicality beats purity."
[OK] NO_PROXY correctly honored for localhost. and [::1] (proxy not hit)

Test plan

  • npx tsc --noEmit — no errors
  • npm test — 123/123 passing
  • Local PoC from the advisory no longer reproduces
  • CI green on this PR

🤖 Generated with Claude Code

ruturaj-browserstack and others added 2 commits April 13, 2026 22:56
@ruturaj-browserstack @claude
fix: bump axios to ^1.15.0 to patch NO_PROXY SSRF bypass (CVE-2025-62718
ad3c138 
)

Upgrade axios from 1.14.0 to 1.15.0 to remediate GHSA-3p68-rc4w-qgx5,
where NO_PROXY hostname normalization could be bypassed via trailing-dot
hostnames or IPv6 literals, leading to SSRF. Ref PMAA-94.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@ruturaj-browserstack @claude
chore: bump version to 1.2.15 in package.json, package-lock.json, and…
166f50a 
… server.json

Version bump for the axios 1.15.0 security upgrade (PMAA-94 / CVE-2025-62718).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@gaurav-singh-9227 gaurav-singh-9227 merged commit a54179e into browserstack:main Apr 13, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gaurav-singh-9227 gaurav-singh-9227 gaurav-singh-9227 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ruturaj-browserstack @gaurav-singh-9227