CVE-2025-27152

Name of the Vulnerable Software and Affected Versions: axios versions 1.0.0 through 1.8.1 Bamboo Data Center and Server versions 9.6.1 through 11.0.0

Description: A Server-Side Request Forgery (SSRF) vulnerability exists in axios when handling absolute URLs instead of protocol-relative URLs. Even with a baseURL configured, axios may send requests to the specified absolute URL, potentially leading to SSRF and credential leakage. This impacts both server-side and client-side usage. The vulnerability allows attackers to access internal network resources and potentially access sensitive credentials. Millions of systems may be affected.

Recommendations: Upgrade axios to version 1.8.2 or later. Bamboo Data Center and Server 9.6: Upgrade to a release greater than or equal to 9.6.20. Bamboo Data Center and Server 10.2: Upgrade to a release greater than or equal to 10.2.12. Bamboo Data Center and Server 11.0: Upgrade to a release greater than or equal to 11.0.8.