CVE-2025-8267: ssrfcheck: SSRF Bypass Caused by Failure to Classify Reserved IP Address Space as Invalid
SSRF Bypass in <code>ssrfcheck</code> - fails to classify reserved IP address space as invalid
ssrfcheck is an npm package that serves to provide protection from SSRF by validating URLs or hostname inputs.
Resources:
- Project’s GitHub code repository: https://github.com/felippe-regazio/ssrfcheck
- Project’s npm package: https://www.npmjs.com/package/ssrfcheck
Vulnerability
The ssrfcheck package maintains a denylist of IP addresses and ranges to check against when validating if an IP address is to be considered as safe or not.
However, the IP address list used for the denylist is incomplete and misses a reserved IP address space as defined by the IANA (Internet Assigned Numbers Authority):
- 224.0.0.0/4 - Multicast
Practically, this reserved IP address space is used for multicast traffic and would most commonly be used for reserved local communication over network protocols such as UDP, which would make it less likely to be used in a typical SSRF attack in practice.
However, such reserved IP address space shouldn’t be allowed and it would be responsible of the SSRF protection package to align and conform to an agreed-upon standard of special-purposed addresses that should not be considered a valid public IP address. For reference, the popular npm packages private-ip and ipaddr.js that are highly dependent-upon to make decisions about SSRF protection and both consider the above mentioned IP address space as reserved and is not considered a valid public IP address.
Exploit Proof of Concept
- Install the
ssrfcheckpackage:
npm install ssrfcheck
- Define an
app.jsfile with the programmatic API ofssrfcheck:
import { isSSRFSafeURL } from 'ssrfcheck';
let result
result = isSSRFSafeURL('https://012.1.2.3/whatever');
console.log(result); // returns false
result = isSSRFSafeURL('https://localhost:8080/whatever');
console.log(result); // returns false
result = isSSRFSafeURL('https://239.255.255.250:8080/whatever');
console.log(result); // returns true - bypassed
Vulnerable versions
All versions of ssrfcheck are vulnerable to this issue, up to and including to the latest version of 1.1.1.
Assigned CVE
Author
Liran Tal
References
- gist.github.com/lirantal/2976840639df824cb3abe60d13c65e04
- github.com/advisories/GHSA-p4hc-9pjh-55c8
- github.com/felippe-regazio/ssrfcheck
- github.com/felippe-regazio/ssrfcheck/commit/9507b49fd764f2a1a1d1e3b9ee577b7545e6950e
- github.com/felippe-regazio/ssrfcheck/issues/5
- github.com/felippe-regazio/ssrfcheck/security/advisories/GHSA-p4hc-9pjh-55c8
- nvd.nist.gov/vuln/detail/CVE-2025-8267
- security.snyk.io/vuln/SNYK-JS-SSRFCHECK-9510756
Code Behaviors & Features
Detect and mitigate CVE-2025-8267 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →