dssrf CVE-2026-44232
HIGH
GHSA-8p33-q827-ghj5
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionNVD
A vulnerability in dssrf allows an attacker to bypass its SSRF protections by supplying one of the following IPv6 addresses, resulting in a successful SSRF. This contradicts dssrf documentation, which incorrectly claims that IPv6 is disabled entirely. See below:
Input Category
http://[::1]/ IPv6 loopback
http://[fc00::1]/ IPv6 ULA
http://[fe80::1]/ IPv6 link-local
http://[::ffff:127.0.0.1]/ IPv4-mapped loopback
http://[::ffff:169.254.169.254]/ IPv4-mapped IMDS
http://[::ffff:100.64.0.1]/ IPv4-mapped CGNAT
http://[64:ff9b::7f00:1]/ NAT64 well-known prefix
http://[64:ff9b:1::1]/ NAT64 local-use (RFC 8215)
http://[5f00::1]/ SRv6 SID (RFC 9602)
http://[3fff::1]/ IPv6 documentation (RFC 9637)
http://[fec0::1]/ IPv6 site-local (deprecated, RFC 3879)
http://[::127.0.0.1]/ IPv4-compatible IPv6POC
mkdir dssrf-poc && cd dssrf-poc
npm init -y >/dev/null
npm install dssrf@^1.0.2
cat > audit.js <<'EOF'
const dssrf = require('dssrf');
const cases = [
['http://[::1]/', 'IPv6 loopback'],
['http://[fc00::1]/', 'IPv6 ULA'],
['http://[fe80::1]/', 'IPv6 link-local'],
['http://[::ffff:127.0.0.1]/', 'IPv4-mapped loopback'],
['http://[::ffff:169.254.169.254]/', 'IPv4-mapped IMDS'],
['http://[64:ff9b::7f00:1]/', 'NAT64 well-known + 127.0.0.1'],
['http://[64:ff9b:1::1]/', 'NAT64 local-use (RFC 8215)'],
['http://[5f00::1]/', 'SRv6 SID (RFC 9602)'],
['http://[fec0::1]/', 'IPv6 site-local deprecated'],
['http://127.0.0.1/', 'IPv4 loopback (control)'],
['http://10.0.0.1/', 'IPv4 RFC1918 (control)'],
['http://8.8.8.8/', 'PUBLIC IPv4 (control)'],
];
(async () => {
for (const [url, label] of cases) {
const safe = await dssrf.is_url_safe(url);
console.log(`${safe ? '✓ALLOW' : '·block'} ${url.padEnd(40)} ${label}`);
}
})();
EOF
node audit.jsCredit
dssrf thanks <brmenna@gmail.com> for reporting this issue responsibly.
Update
Users should immediately update to dssrf 1.3.0.
Lessons Learned
As seen both in the past and today, many advisories and CVE bypasses leverage IPv6. IPv6 remains the weakest link, as it is rarely configured correctly and seldom tested. In this case, while IPv4 was properly blocked, the corresponding IPv6 blocking logic was completely broken and never actually worked.,
AnalysisAI
The dssrf Node.js library (versions < 1.3.0) allows Server-Side Request Forgery (SSRF) protection bypass through IPv6 addresses targeting internal resources. Attackers can craft HTTP requests using IPv6 loopback (::1), unique local addresses (fc00::/7), link-local addresses (fe80::/10), IPv4-mapped IPv6 addresses (::ffff:127.0.0.1, ::ffff:169.254.169.254), NAT64 prefixes, and other IPv6 categories to access internal services, cloud metadata endpoints (IMDS), and private networks that the library was explicitly designed to block. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Audit all applications and dependencies to identify dssrf library usage and current version (check package.json and npm list dssrf). Within 7 days: Update dssrf to version 1.3.0 or later across all affected systems and redeploy applications; validate deployment in staging environment first. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today