Advisories for Npm/Ssrfcheck package

2026

ssrfcheck: SSRF Bypass Caused by Failure to Classify Reserved IP Address Space as Invalid

SSRF Bypass in ssrfcheck - fails to classify reserved IP address space as invalid ssrfcheck is an npm package that serves to provide protection from SSRF by validating URLs or hostname inputs. Resources: Project's GitHub code repository: https://github.com/felippe-regazio/ssrfcheck Project's npm package: https://www.npmjs.com/package/ssrfcheck Vulnerability The ssrfcheck package maintains a denylist of IP addresses and ranges to check against when validating if an IP address is to be considered as safe or …

ssrfcheck Vulnerable to Server-Side Request Forgery (SSRF) and Incomplete List of Disallowed Inputs

ssrfcheck v1.3.0 (latest) fails to block Server-Side Request Forgery attacks when the target private IP address is encoded as an IPv4-mapped IPv6 address (e.g. http://[::ffff:127.0.0.1]/). The WHATWG URL parser built into Node.js silently normalizes the IPv4 notation inside the brackets to compressed hex form ([::ffff:7f00:1]) before the library's private-IP regex ever runs. The regex was written to match dot-notation only and therefore never matches any real input — all seven …

2025

Duplicate Advisory: ssrfcheck has Incomplete IP Address Deny List that leads to Server-Side Request Forgery Vulnerability

This advisory has been withdrawn.