curl: HSTS multi-trailing-dot bypass-ish: possible incomplete fix for CVE-2022-30115

Hi all, Honestly, I'm not completely certain about this issue, but I think the CVE-2022-30115 fix "HSTS bypass via trailing dot" is incomplete: the same asymmetry exists for hostnames with two or more trailing dots, so http://example.com../ still gets sent in plaintext when there's a valid HSTS...

Security Bulletin: Axios NO_PROXY Bypass via Improper Hostname Normalization Leads to SSRF

Summary Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NOPROXY rules. Requests to loopback addresses like localhost. with a trailing dot or ::1 IPv6 literal skip NOPROXY matching an...

Server-Side Request Forgery (SSRF)

Axios is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to inadequate hostname normalization and reliance on string matching in proxy bypass logic, which allows an attacker to route local requests through a proxy instead of bypassing it...

Axios 代码问题漏洞

Axios is an open-source HTTP client developed by Axios. Versions of Axios prior to 1.15.1 and 0.31.1 have code vulnerabilities. These vulnerabilities stem from incomplete fixes for noproxy hostname normalization, allowing requests to 127.0.0.1 and ::1 to still be routed through a proxy...

Server-Side Request Forgery (SSRF)

Axios is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to improper hostname normalization when evaluating NOPROXY rules, where crafted loopback addresses e.g., localhost. or ::1 bypass proxy exclusions and are routed through the proxy, allowing attackers to access...

CVE-2025-62718

A flaw was found in Axios, a promise-based HTTP client. This vulnerability occurs because Axios does not correctly handle hostname normalization when evaluating NOPROXY rules. An attacker can exploit this by crafting requests to loopback addresses e.g., localhost. or ::1 which bypass the NOPROXY...

Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF

Axios does not correctly handle hostname normalization when checking NOPROXY rules. Requests to loopback addresses like localhost. with a trailing dot or ::1 IPv6 literal skip NOPROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force...

GHSA-3P68-RC4W-QGX5 Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF

Axios does not correctly handle hostname normalization when checking NOPROXY rules. Requests to loopback addresses like localhost. with a trailing dot or ::1 IPv6 literal skip NOPROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force...

Unintended Proxy or Intermediary ('Confused Deputy')

Overview org.webjars.npm:axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Unintended Proxy or Intermediary 'Confused Deputy' via improper hostname normalization in the NOPROXY environment variable. An attacker controlling reques...

Unintended Proxy or Intermediary ('Confused Deputy')

Overview axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Unintended Proxy or Intermediary 'Confused Deputy' via improper hostname normalization in the NOPROXY environment variable. An attacker controlling request URLs can acces...

CVE-2025-62718

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NOPROXY rules. Requests to loopback addresses like localhost. with a trailing dot or ::1 IPv6 literal skip NOPROXY matching and go...

CVE-2025-62718

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NOPROXY rules. Requests to loopback addresses like localhost. with a trailing dot or ::1 IPv6 literal skip NOPROXY matching and go...

CVE-2025-62718 Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NOPROXY rules. Requests to loopback addresses like localhost. with a trailing dot or ::1 IPv6 literal skip NOPROXY matching and go...

CVE-2025-62718 Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NOPROXY rules. Requests to loopback addresses like localhost. with a trailing dot or ::1 IPv6 literal skip NOPROXY matching and go...

CVE-2025-62718

Axios prior to 1.15.0 has a hostname normalization flaw when evaluating NO_PROXY rules. Requests to loopback addresses (e.g., localhost with a trailing dot or IPv6 [::1]) can bypass NO_PROXY and be routed through the configured proxy. This bypass enables potential proxy circumvention and SSRF aga...

Axios 安全漏洞

Axios is an open-source HTTP client developed by Axios. Versions of Axios prior to 1.15.0 contained a security vulnerability, which was caused by improper handling of hostname normalization. This vulnerability could lead to proxy bypassing and server-side request forge attacks...

util-linux 安全漏洞

util-linux is an open-source software package developed by util-linux. There is a security vulnerability in util-linux, which stems from improper hostname normalization. This vulnerability could allow remote attackers to bypass host-based PAM access control rules and gain unauthorized access...

MiracleLinux 8 : java-11-openjdk-11.0.8.10-0.el8 (AXSA:2020-547:07)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2020-547:07 advisory. OpenJDK: Bypass of boundary checks in nio.Buffer via concurrent access Libraries, 8238920 CVE-2020-14583 OpenJDK: Incomplete bounds checks in Affine...

OpenJDK: HostnameChecker does not ensure X.509 certificate names are in normalized form (JSSE, 8237592)

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE component: JSSE. Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to...

Google Chrome Restriction Bypass Vulnerability

Google Chrome is a web browser developed by the American company Google Google. A security vulnerability exists in the 'DecodeHSTSPreloadRaw' function in the net/http/transportsecuritystate.cc file in versions of Google Chrome prior to 43.0.2357.130, which originates from The program fails to...