GHSA-P4HC-9PJH-55C8

Vulnerability from github – Published: 2026-05-05 20:29 – Updated: 2026-05-05 20:29
VLAI?
Summary
ssrfcheck: SSRF Bypass Caused by Failure to Classify Reserved IP Address Space as Invalid
Details

SSRF Bypass in ssrfcheck - fails to classify reserved IP address space as invalid

ssrfcheck is an npm package that serves to provide protection from SSRF by validating URLs or hostname inputs.

Resources: * Project's GitHub code repository: https://github.com/felippe-regazio/ssrfcheck * Project's npm package: https://www.npmjs.com/package/ssrfcheck

Vulnerability

The ssrfcheck package maintains a denylist of IP addresses and ranges to check against when validating if an IP address is to be considered as safe or not.

However, the IP address list used for the denylist is incomplete and misses a reserved IP address space as defined by the IANA (Internet Assigned Numbers Authority):

  • 224.0.0.0/4 - Multicast

Practically, this reserved IP address space is used for multicast traffic and would most commonly be used for reserved local communication over network protocols such as UDP, which would make it less likely to be used in a typical SSRF attack in practice.

However, such reserved IP address space shouldn't be allowed and it would be responsible of the SSRF protection package to align and conform to an agreed-upon standard of special-purposed addresses that should not be considered a valid public IP address. For reference, the popular npm packages private-ip and ipaddr.js that are highly dependent-upon to make decisions about SSRF protection and both consider the above mentioned IP address space as reserved and is not considered a valid public IP address.

Exploit Proof of Concept

  1. Install the ssrfcheck package:
npm install ssrfcheck
  1. Define an app.js file with the programmatic API of ssrfcheck:
import { isSSRFSafeURL } from 'ssrfcheck';

let result
result = isSSRFSafeURL('https://012.1.2.3/whatever');
console.log(result);  // returns false
result = isSSRFSafeURL('https://localhost:8080/whatever');
console.log(result);  // returns false

result = isSSRFSafeURL('https://239.255.255.250:8080/whatever');
console.log(result);  // returns true - bypassed

Vulnerable versions

All versions of ssrfcheck are vulnerable to this issue, up to and including to the latest version of 1.1.1.

Assigned CVE

CVE-2025-8267

Author

Liran Tal

Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.8 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "ssrfcheck"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-8267"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T20:29:06Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "# SSRF Bypass in `ssrfcheck` - fails to classify reserved IP address space as invalid\n\n`ssrfcheck` is an npm package that serves to provide protection from SSRF by validating URLs or hostname inputs.\n\nResources: \n * Project\u0027s GitHub code repository: https://github.com/felippe-regazio/ssrfcheck\n * Project\u0027s npm package: https://www.npmjs.com/package/ssrfcheck\n \n## Vulnerability\n\nThe `ssrfcheck` package maintains a denylist of IP addresses and ranges to check against when validating if an IP address is to be considered as safe or not.\n\nHowever, the IP address list used for the denylist is incomplete and misses a reserved IP address space as defined by the IANA (Internet Assigned Numbers Authority):\n\n- 224.0.0.0/4 - Multicast\n\nPractically, this reserved IP address space is used for multicast traffic and would most commonly be used for reserved local communication over network protocols such as UDP, which would make it less likely to be used in a typical SSRF attack in practice.\n\nHowever, such reserved IP address space shouldn\u0027t be allowed and it would be responsible of the SSRF protection package to align and conform to an agreed-upon standard of special-purposed addresses that should not be considered a valid public IP address. For reference, the popular npm packages `private-ip` and `ipaddr.js` that are highly dependent-upon to make decisions about SSRF protection and both consider the above mentioned IP address space as reserved and is not considered a valid public IP address.\n\n## Exploit Proof of Concept\n\n1. Install the `ssrfcheck` package:\n\n```bash\nnpm install ssrfcheck\n```\n\n2. Define an `app.js` file with the programmatic API of `ssrfcheck`:\n\n```javascript\nimport { isSSRFSafeURL } from \u0027ssrfcheck\u0027;\n\nlet result\nresult = isSSRFSafeURL(\u0027https://012.1.2.3/whatever\u0027);\nconsole.log(result);  // returns false\nresult = isSSRFSafeURL(\u0027https://localhost:8080/whatever\u0027);\nconsole.log(result);  // returns false\n\nresult = isSSRFSafeURL(\u0027https://239.255.255.250:8080/whatever\u0027);\nconsole.log(result);  // returns true - bypassed\n```\n\n## Vulnerable versions\n\nAll versions of ssrfcheck are vulnerable to this issue, up to and including to the latest version of `1.1.1`.\n\n## Assigned CVE\n\n[CVE-2025-8267](https://nvd.nist.gov/vuln/detail/CVE-2025-8267)\n\n# Author\n\nLiran Tal",
  "id": "GHSA-p4hc-9pjh-55c8",
  "modified": "2026-05-05T20:29:06Z",
  "published": "2026-05-05T20:29:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/felippe-regazio/ssrfcheck/security/advisories/GHSA-p4hc-9pjh-55c8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8267"
    },
    {
      "type": "WEB",
      "url": "https://github.com/felippe-regazio/ssrfcheck/issues/5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/felippe-regazio/ssrfcheck/commit/9507b49fd764f2a1a1d1e3b9ee577b7545e6950e"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/lirantal/2976840639df824cb3abe60d13c65e04"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/felippe-regazio/ssrfcheck"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-SSRFCHECK-9510756"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "ssrfcheck: SSRF Bypass Caused by Failure to Classify Reserved IP Address Space as Invalid"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.