Which versions of ssrfcheck are affected by CVE-2025-8267?

The ssrfcheck npm package before version 1.2.0 contains a server-side request forgery (SSRF) vulnerability that allows unauthenticated attackers to bypass IP blocklist protections and target…. A patch is available.

Is there a public PoC exploit available for CVE-2025-8267?

Yes, a public proof-of-concept exploit is available for CVE-2025-8267. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2025-8267?

Within 24 hours: Identify all applications and services using ssrfcheck npm package versions before 1.2.0 (run 'npm audit' and review package-lock.json files across your codebase). Within 7 days: Upgrade ssrfcheck to version 1.2.0 or later in all affected applications, run regression testing on request validation logic, and verify multicast address blocking is functioning. Within 30 days: Conduct a security audit of any network requests processed by applications using older versions during the vulnerability window, and implement compensating controls if legacy systems cannot be immediately patched.

ssrfcheck CVE-2025-8267

Q: What is the CVSS score of CVE-2025-8267?

CVE-2025-8267 has a CVSS 4.0 base score of 7.8 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2025-22851 HIGH

Server-Side Request Forgery (SSRF) (CWE-918)

2025-07-28 report@snyk.io

GHSA-c2fv-2fmj-9xrx

GHSA-p4hc-9pjh-55c8

SSRF Ssrf Check

7.8

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

7.8 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:15 vuln.today

DescriptionCVE.org

Versions of the package ssrfcheck before 1.2.0 are vulnerable to Server-Side Request Forgery (SSRF) due to an incomplete denylist of IP address ranges. Specifically, the package fails to classify the reserved IP address space 224.0.0.0/4 (Multicast) as invalid. This oversight allows attackers to craft requests targeting these multicast addresses.

AnalysisAI

Server-side request forgery in ssrfcheck npm package versions before 1.2.0 enables attackers to bypass IP blocklist validation and craft requests to multicast IP addresses (224.0.0.0/4). The vulnerability stems from an incomplete denylist that fails to classify reserved multicast address space as invalid, allowing network-accessible exploitation with no authentication required. Public exploit code exists (Snyk gist, CVSS E:P) with EPSS indicating moderate exploitation probability. Vendor patch available in version 1.2.0 via GitHub commit 9507b49.

Technical ContextAI

The ssrfcheck package (cpe:2.3:a:felipperegazio:ssrf_check) is a Node.js library designed to validate and sanitize URLs to prevent server-side request forgery attacks by maintaining denylists of dangerous IP ranges. This vulnerability (CWE-918: Server-Side Request Forgery) occurs because the package's IP validation logic omits the IANA-reserved multicast address block 224.0.0.0/4 (Class D addresses) from its blocklist. Multicast addresses are used for one-to-many network communication and should never be valid targets for application-initiated HTTP requests. Applications relying on ssrfcheck for SSRF protection prior to version 1.2.0 incorrectly permit requests to these addresses, enabling attackers to bypass intended access controls and potentially interact with multicast-enabled network services or infrastructure components that listen on these addresses.

RemediationAI

Upgrade ssrfcheck to version 1.2.0 or later immediately using npm update ssrfcheck or by modifying package.json to specify "ssrfcheck": "^1.2.0" followed by npm install. The vendor-released patch in commit 9507b49fd764f2a1a1d1e3b9ee577b7545e6950e adds multicast address range 224.0.0.0/4 to the IP blocklist. For environments unable to upgrade immediately, implement compensating controls by adding application-layer validation to explicitly reject URLs resolving to IP addresses in the 224.0.0.0 to 239.255.255.255 range before passing to ssrfcheck, though this creates maintenance burden and potential logic errors. Alternatively, deploy network-layer egress filtering to block outbound connections to multicast ranges at firewall/security group level, which prevents exploitation but may impact legitimate multicast functionality if present in the environment. Review application logs for any historical requests to 224.0.0.0/4 addresses to identify potential prior exploitation. Consult GitHub issue https://github.com/felippe-regazio/ssrfcheck/issues/5 for additional vendor guidance.

CVE-2025-8267 vulnerability details – vuln.today

Back