greprules.io
Sign inSubmit rule
Explore/cve-2025-62718-proxy-from-env-no-proxy-hostname-bypass-ssrf

CVE-2025-62718: Proxy From Env No Proxy Hostname Bypass Ssrf

`getProxyForUrl()` from `proxy-from-env` does not normalize hostnames with trailing dots (e.g., `localhost.`) or IPv6 bracket notation (e.g., `[::1]`). Using its result directly to configure a proxy without an independent no_proxy bypass check allows these non-normalized hostname variants to evade `no_proxy` matching, routing requests through the proxy when

Provally CuratedPublic repositoryHighMedium confidenceVerifiedApache-2.0javascript
greprules fetch cve-2025-62718-proxy-from-env-no-proxy-hostname-bypass-ssrf --engine opengrep

Description

`getProxyForUrl()` from `proxy-from-env` does not normalize hostnames with trailing dots (e.g., `localhost.`) or IPv6 bracket notation (e.g., `[::1]`). Using its result directly to configure a proxy without an independent no_proxy bypass check allows these non-normalized hostname variants to evade `no_proxy` matching, routing requests through the proxy when

Detection target

Not provided

Recommended fix

Not provided

False-positive notes

Not provided

License
Apache-2.0
Source context
Public repository
Source
Provally CVE rule catalog
Validation status
Verified
Trust signals
115 downloads0 direct115 via packs
· 0 stars · Trust score 69How trust works
Included packs
2 packs

Community feedback

Sign in to report false positives, mark this rule useful, or suggest metadata improvements.

Mark usefulReport false positiveSuggest metadata