CVE-2025-8267

描述

# SSRF Bypass in `ssrfcheck` - fails to classify reserved IP address space as invalid `ssrfcheck` is an npm package that serves to provide protection from SSRF by validating URLs or hostname inputs. Resources: * Project's GitHub code repository: https://github.com/felippe-regazio/ssrfcheck * Project's npm package: https://www.npmjs.com/package/ssrfcheck ## Vulnerability The `ssrfcheck` package maintains a denylist of IP addresses and ranges to check against when validating if an IP address is to be considered as safe or not. However, the IP address list used for the denylist is incomplete and misses a reserved IP address space as defined by the IANA (Internet Assigned Numbers Authority): - 224.0.0.0/4 - Multicast Practically, this reserved IP address space is used for multicast traffic and would most commonly be used for reserved local communication over network protocols such as UDP, which would make it less likely to be used in a typical SSRF attack in practice. However, such reserved IP address space shouldn't be allowed and it would be responsible of the SSRF protection package to align and conform to an agreed-upon standard of special-purposed addresses that should not be considered a valid public IP address. For reference, the popular npm packages `private-ip` and `ipaddr.js` that are highly dependent-upon to make decisions about SSRF protection and both consider the above mentioned IP address space as reserved and is not considered a valid public IP address. ## Exploit Proof of Concept 1. Install the `ssrfcheck` package: ```bash npm install ssrfcheck ``` 2. Define an `app.js` file with the programmatic API of `ssrfcheck`: ```javascript import { isSSRFSafeURL } from 'ssrfcheck'; let result result = isSSRFSafeURL('https://012.1.2.3/whatever'); console.log(result); // returns false result = isSSRFSafeURL('https://localhost:8080/whatever'); console.log(result); // returns false result = isSSRFSafeURL('https://239.255.255.250:8080/whatever'); console.log(result); // returns true - bypassed ``` ## Vulnerable versions All versions of ssrfcheck are vulnerable to this issue, up to and including to the latest version of `1.1.1`. ## Assigned CVE [CVE-2025-8267](https://nvd.nist.gov/vuln/detail/CVE-2025-8267) # Author Liran Tal

如何修補 CVE-2025-8267

要修補 CVE-2025-8267,請將受影響套件升級到下列已修補版本。

—升級至 1.2.0 或更新版本
—

來源	版本	嚴重程度	向量
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
osv	CVSS 3.1	HIGH8.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

描述

如何修補 CVE-2025-8267

CVE-2025-8267 正在被利用嗎?

受影響套件(2)

CVSS 分數

參考連結(7)