Security Vulnerability Report
We have identified two critical security vulnerabilities in the axios dependency used by CodiMD.
Affected Version
Current axios version: 0.21.4
Vulnerabilities
CVE-2025-62718 — SSRF via NO_PROXY Hostname Normalization Bypass
- Severity: High
- Description: Axios does not correctly handle hostname normalization when checkin NO_PROXY rules. Requests to loopback addresses like
localhost. (trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy, allowing attackers to reach sensitive internal services.
- Fixed in: axios >= 1.15.0
- Reference: GHSA-3p68-rc4w-qgx5
CVE-2026-40175 — RCE / Full Cloud Compromise via Prototype Pollution Gadget Chain
- Severity: Critical (CVSS 10.0)
- Description: Axios is vulnerable to a "Gadget" attack chain that allows Prototype Pollution in any third-party dependency to be escalated into Remote Code Execution (RCE) or Full Cloud Compromise (via AWS IMDSv2 bypass).
- Fixed in: axios >= 1.15.0
- Reference: GHSA-fvcv-3m26-pcqx
Request
Please upgrade axios to 1.15.0 or later to address both vulnerabilities.
Security Vulnerability Report
We have identified two critical security vulnerabilities in the axios dependency used by CodiMD.
Affected Version
Current axios version:
0.21.4Vulnerabilities
CVE-2025-62718 — SSRF via NO_PROXY Hostname Normalization Bypass
localhost.(trailing dot) or[::1](IPv6 literal) skip NO_PROXY matching and go through the configured proxy, allowing attackers to reach sensitive internal services.CVE-2026-40175 — RCE / Full Cloud Compromise via Prototype Pollution Gadget Chain
Request
Please upgrade axios to 1.15.0 or later to address both vulnerabilities.