Summary
n8n 2.15.0 bundles axios@1.13.5, which is affected by CVE-2025-62718 (GHSA-3p68-rc4w-qgx5, severity: Critical).
This is a Server-Side Request Forgery (SSRF) vulnerability caused by improper hostname normalization when evaluating the NO_PROXY environment variable. An attacker can craft requests that bypass NO_PROXY rules, potentially accessing internal network resources (e.g., cloud metadata endpoints).
Affected locations
The following paths in n8nio/n8n:2.15.0 contain axios@1.13.5:
.pnpm/axios@1.13.5/node_modules/axios/.pnpm/axios@1.13.5_debug@4.4.3/node_modules/axios/
The task runner image n8nio/runners:2.15.0 is also affected:
/opt/runners/task-runner-javascript/node_modules/.pnpm/axios@1.13.5/node_modules/axios/
Fix
Upgrade axios to 1.15.0 or later, which addresses this vulnerability.
References
Summary
n8n 2.15.0 bundles
axios@1.13.5, which is affected by CVE-2025-62718 (GHSA-3p68-rc4w-qgx5, severity: Critical).This is a Server-Side Request Forgery (SSRF) vulnerability caused by improper hostname normalization when evaluating the
NO_PROXYenvironment variable. An attacker can craft requests that bypassNO_PROXYrules, potentially accessing internal network resources (e.g., cloud metadata endpoints).Affected locations
The following paths in
n8nio/n8n:2.15.0containaxios@1.13.5:.pnpm/axios@1.13.5/node_modules/axios/.pnpm/axios@1.13.5_debug@4.4.3/node_modules/axios/The task runner image
n8nio/runners:2.15.0is also affected:/opt/runners/task-runner-javascript/node_modules/.pnpm/axios@1.13.5/node_modules/axios/Fix
Upgrade axios to 1.15.0 or later, which addresses this vulnerability.
References