Which versions of nossrf are affected by CVE-2025-2691?

CVE-2025-2691 is an authentication bypass in the nossrf JavaScript library that defeats its core SSRF protection mechanism, allowing attackers to access internal network resources.. A patch is available.

Is there a public PoC exploit available for CVE-2025-2691?

Yes, a public proof-of-concept exploit is available for CVE-2025-2691. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2025-2691?

Within 24 hours: inventory all applications and dependencies using nossrf library and identify current versions in use. Within 7 days: upgrade nossrf to version 1.0.4 or later across all affected applications and redeploy; conduct code review for SSRF-related attack surface to identify where nossrf is deployed. Within 30 days: test SSRF protections with internal network scanning tools to confirm bypass is remediated; implement network-level segmentation if internal services were previously relied upon nossrf for protection.

nossrf CVE-2025-2691

Q: What is the CVSS score of CVE-2025-2691?

CVE-2025-2691 has a CVSS 4.0 base score of 7.8 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

HIGH

Server-Side Request Forgery (SSRF) (CWE-918)

2025-03-23 report@snyk.io

SSRF

7.8

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

7.8 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

Apr 29, 2026 - 01:20 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 29, 2026 - 01:11 vuln.today

cvss_changed

CVSS changed

Apr 29, 2026 - 01:11 NVD

8.8 (HIGH) 7.8 (HIGH)

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 28, 2026 - 18:32 vuln.today

PoC Detected

Mar 26, 2025 - 15:06 vuln.today

Public exploit code

CVE Published

Mar 23, 2025 - 15:15 nvd

HIGH 8.8

DescriptionCVE.org

Versions of the package nossrf before 1.0.4 are vulnerable to Server-Side Request Forgery (SSRF) where an attacker can provide a hostname that resolves to a local or reserved IP address space and bypass the SSRF protection mechanism.

AnalysisAI

Authentication bypass in nossrf JavaScript library (versions <1.0.4) enables Server-Side Request Forgery against internal network resources by circumventing the library's SSRF protection mechanism. Attackers can supply hostnames resolving to reserved IP ranges (RFC 1918 private addresses, loopback, link-local) to access internal services despite nossrf being deployed specifically to prevent SSRF attacks. Publicly available exploit code exists (Snyk advisory). EPSS score of 0.14% (34th percentile) indicates limited observed exploitation attempts despite POC availability, likely due to the library's niche usage pattern. No CISA KEV listing indicates targeted rather than widespread exploitation campaigns.

Technical ContextAI

The nossrf package is a JavaScript library (npm ecosystem, Node.js runtime) designed to validate and sanitize URLs to prevent Server-Side Request Forgery attacks. The vulnerability stems from inadequate hostname resolution validation (CWE-918: Server-Side Request Forgery). The library's filtering logic fails to properly handle DNS rebinding, time-of-check-time-of-use race conditions, or alternative DNS encoding schemes that allow hostnames to resolve to prohibited IP address spaces after passing initial validation checks. Reserved IP ranges include RFC 1918 private networks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback addresses (127.0.0.0/8), link-local addresses (169.254.0.0/16), and other special-use ranges. Affected applications use nossrf as a security control, trusting it to filter user-supplied URLs before making backend HTTP requests, making this bypass particularly impactful as it defeats the deployed security mechanism.

RemediationAI

Upgrade nossrf to version 1.0.4 or later immediately using npm (npm update nossrf) or yarn package managers. Verify the upgrade succeeded by checking package.json and package-lock.json for version >=1.0.4. If immediate upgrade is not feasible, implement defense-in-depth compensating controls with the following trade-offs: (1) Deploy network egress filtering to block outbound requests from application servers to RFC 1918 private ranges, loopback addresses, and cloud metadata endpoints (169.254.169.254) - this prevents exploitation but may break legitimate internal service communication requiring whitelist maintenance. (2) Implement additional URL validation using alternative libraries (node-ssrf-check, ssrf-req-filter) in series with nossrf - adds processing overhead and complexity but provides redundant protection. (3) Use hostname allowlisting instead of denylisting if feasible - limits functionality to known-good external domains but eliminates entire classes of bypass techniques. Do not rely solely on nossrf <1.0.4 for SSRF protection even with workarounds. Full advisory and patch details: https://security.snyk.io/vuln/SNYK-JS-NOSSRF-9510842.

CVE-2025-2691 vulnerability details – vuln.today

Back