CVE-2025-8267

Versions of the package ssrfcheck before 1.2.0 are vulnerable to Server-Side Request Forgery (SSRF) due to an incomplete denylist of IP address ranges. Specifically, the package fails to classify the reserved IP address space 224.0.0.0/4 (Multicast) as invalid. This oversight allows attackers to craft requests targeting these multicast addresses.

CVSS v3 8.2 HIGH

8.2^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://gist.github.com/lirantal/2976840639df824cb3abe60d13c65e04	Exploit Third Party Advisory
https://github.com/felippe-regazio/ssrfcheck/commit/9507b49fd764f2a1a1d1e3b9ee577b7545e6950e	Patch
https://github.com/felippe-regazio/ssrfcheck/issues/5	Issue Tracking
https://security.snyk.io/vuln/SNYK-JS-SSRFCHECK-9510756	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:felipperegazio:ssrf_check:*:*:*:*:*:*:*:*

History

07 Aug 2025, 14:42

Type	Values Removed	Values Added
References	~~() https://gist.github.com/lirantal/2976840639df824cb3abe60d13c65e04 -~~	() https://gist.github.com/lirantal/2976840639df824cb3abe60d13c65e04 - Exploit, Third Party Advisory
References	~~() https://github.com/felippe-regazio/ssrfcheck/commit/9507b49fd764f2a1a1d1e3b9ee577b7545e6950e -~~	() https://github.com/felippe-regazio/ssrfcheck/commit/9507b49fd764f2a1a1d1e3b9ee577b7545e6950e - Patch
References	~~() https://github.com/felippe-regazio/ssrfcheck/issues/5 -~~	() https://github.com/felippe-regazio/ssrfcheck/issues/5 - Issue Tracking
References	~~() https://security.snyk.io/vuln/SNYK-JS-SSRFCHECK-9510756 -~~	() https://security.snyk.io/vuln/SNYK-JS-SSRFCHECK-9510756 - Exploit, Third Party Advisory
CPE		cpe:2.3:a:felipperegazio:ssrf_check::::::::
First Time		Felipperegazio ssrf Check Felipperegazio

29 Jul 2025, 14:14

Type	Values Removed	Values Added
Summary		(es) Las versiones del paquete ssrfcheck anteriores a la 1.2.0 son vulnerables a la Server-Side Request Forgery (SSRF) debido a una lista de denegación incompleta de rangos de direcciones IP. En concreto, el paquete no clasifica el espacio de direcciones IP reservado 224.0.0.0/4 (Multicast) como inválido. Este descuido permite a los atacantes manipular solicitudes dirigidas a estas direcciones de multicast.

28 Jul 2025, 05:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-28 05:16

Updated : 2025-08-07 14:42

NVD link : CVE-2025-8267

Mitre link : CVE-2025-8267

CVE.ORG link : CVE-2025-8267

JSON object : View

Products Affected

felipperegazio

ssrf_check

CWE

CWE-918

Server-Side Request Forgery (SSRF)

8.2 /10