Skip to main content

private-ip CVE-2025-8020

HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2025-07-23 report@snyk.io
7.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 01:15 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 482 npm packages depend on private-ip (33 direct, 451 indirect)

Ecosystem-wide dependent count for version 3.0.2.

DescriptionCVE.org

All versions of the package private-ip are vulnerable to Server-Side Request Forgery (SSRF) where an attacker can provide an IP or hostname that resolves to a multicast IP address (224.0.0.0/4) which is not included as part of the private IP ranges in the package's source code.

AnalysisAI

Server-Side Request Forgery (SSRF) in the private-ip npm package allows remote unauthenticated attackers to bypass IP filtering by providing multicast addresses (224.0.0.0/4) that the library incorrectly validates as safe, enabling access to internal network resources. This affects all versions of the package with a CVSS 4.0 score of 7.8 (High) and proof-of-concept exploit code is publicly available per the E:P metric. Organizations using private-ip for server-side request validation are at immediate risk of internal network reconnaissance and data exfiltration.

Technical ContextAI

The private-ip npm package is a JavaScript library used to validate whether IP addresses or hostnames belong to private/internal network ranges, commonly deployed in server-side applications to prevent SSRF attacks. The vulnerability stems from incomplete IP range validation logic (CWE-918: Server-Side Request Forgery) where the package's source code fails to include multicast IP addresses (224.0.0.0 through 239.255.255.255, CIDR 224.0.0.0/4) in its blocklist of non-routable addresses. According to RFC 5771, multicast addresses are reserved for group communication protocols and should not be considered safe external targets. Attackers exploit this by providing hostnames that resolve to multicast IPs or directly passing multicast addresses, which the library incorrectly classifies as public/safe addresses, bypassing SSRF protections in applications relying on this validation.

Affected ProductsAI

All versions of the private-ip npm package (NPM ecosystem) are confirmed vulnerable per Snyk advisory SNYK-JS-PRIVATEIP-9510757. The vulnerability exists in the core IP range validation logic with no version-specific conditions. Applications using private-ip for server-side request filtering, including Node.js web servers, API gateways, webhook processors, and microservices performing outbound HTTP requests based on user-supplied URLs or hostnames, are at risk. Advisory available at https://security.snyk.io/vuln/SNYK-JS-PRIVATEIP-9510757 with proof-of-concept at https://gist.github.com/lirantal/ed18a4493ca9fe4429957c79454a9df1.

RemediationAI

No vendor-released patch identified at time of analysis for the private-ip package. Immediate compensating controls: (1) Replace private-ip with alternative IP validation libraries that include comprehensive non-routable range checking including multicast addresses (224.0.0.0/4), such as ip-address or implementing custom validation against RFC-defined reserved ranges (RFC 5771, RFC 1918, RFC 3927). Trade-off: requires code refactoring and testing of replacement library behavior. (2) Implement application-layer allowlisting of permitted destination domains/IPs rather than blocklisting private ranges, restricting outbound requests to explicitly approved external endpoints only. Trade-off: reduces flexibility for dynamic URL handling and requires maintenance of allowlist. (3) Deploy network-layer egress filtering on application hosts to block traffic to multicast ranges (224.0.0.0/4), RFC 1918 private ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local (169.254.0.0/16), and loopback (127.0.0.0/8) at firewall or security group level. Trade-off: defense-in-depth but does not prevent exploitation of other internal network resources accessible from the application host. Monitor Snyk advisory https://security.snyk.io/vuln/SNYK-JS-PRIVATEIP-9510757 for patch release announcements. Organizations should audit all code using private-ip.isPrivateIP() or similar methods and treat validation results as untrusted until mitigation is deployed.

Share

CVE-2025-8020 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy