Skip to main content

dssrf CVE-2026-44232

HIGH
Incomplete Filtering of Special Elements (CWE-791)
2026-05-06 https://github.com/HackingRepo/dssrf-js GHSA-8p33-q827-ghj5
8.7
CVSS 4.0 · Vendor: https://github.com/HackingRepo/dssrf-js
Share

Severity by source

Vendor (https://github.com/HackingRepo/dssrf-js) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (https://github.com/HackingRepo/dssrf-js) · only source for this CVE.

CVSS VectorVendor: https://github.com/HackingRepo/dssrf-js

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Re-analysis Queued
May 12, 2026 - 21:22 vuln.today
cvss_changed
CVSS changed
May 12, 2026 - 21:22 NVD
8.7 (HIGH)
Source Code Evidence Fetched
May 06, 2026 - 19:45 vuln.today
Analysis Generated
May 06, 2026 - 19:45 vuln.today
CVE Published
May 06, 2026 - 18:13 nvd
HIGH

DescriptionCVE.org

A vulnerability in dssrf allows an attacker to bypass its SSRF protections by supplying one of the following IPv6 addresses, resulting in a successful SSRF. This contradicts dssrf documentation, which incorrectly claims that IPv6 is disabled entirely. See below:

rust
Input	Category
http://[::1]/	IPv6 loopback
http://[fc00::1]/	IPv6 ULA
http://[fe80::1]/	IPv6 link-local
http://[::ffff:127.0.0.1]/	IPv4-mapped loopback
http://[::ffff:169.254.169.254]/	IPv4-mapped IMDS
http://[::ffff:100.64.0.1]/	IPv4-mapped CGNAT
http://[64:ff9b::7f00:1]/	NAT64 well-known prefix
http://[64:ff9b:1::1]/	NAT64 local-use (RFC 8215)
http://[5f00::1]/	SRv6 SID (RFC 9602)
http://[3fff::1]/	IPv6 documentation (RFC 9637)
http://[fec0::1]/	IPv6 site-local (deprecated, RFC 3879)
http://[::127.0.0.1]/	IPv4-compatible IPv6

POC

bash
mkdir dssrf-poc && cd dssrf-poc
npm init -y >/dev/null
npm install dssrf@^1.0.2
cat > audit.js <<'EOF'
const dssrf = require('dssrf');
const cases = [
  ['http://[::1]/',                         'IPv6 loopback'],
  ['http://[fc00::1]/',                     'IPv6 ULA'],
  ['http://[fe80::1]/',                     'IPv6 link-local'],
  ['http://[::ffff:127.0.0.1]/',            'IPv4-mapped loopback'],
  ['http://[::ffff:169.254.169.254]/',      'IPv4-mapped IMDS'],
  ['http://[64:ff9b::7f00:1]/',             'NAT64 well-known + 127.0.0.1'],
  ['http://[64:ff9b:1::1]/',                'NAT64 local-use (RFC 8215)'],
  ['http://[5f00::1]/',                     'SRv6 SID (RFC 9602)'],
  ['http://[fec0::1]/',                     'IPv6 site-local deprecated'],
  ['http://127.0.0.1/',                     'IPv4 loopback (control)'],
  ['http://10.0.0.1/',                      'IPv4 RFC1918 (control)'],
  ['http://8.8.8.8/',                       'PUBLIC IPv4 (control)'],
];
(async () => {
  for (const [url, label] of cases) {
    const safe = await dssrf.is_url_safe(url);
    console.log(`${safe ? '✓ALLOW' : '·block'}  ${url.padEnd(40)}  ${label}`);
  }
})();
EOF
node audit.js

Credit

dssrf thanks <brmenna@gmail.com> for reporting this issue responsibly.

Update

Users should immediately update to dssrf 1.3.0.

Lessons Learned

As seen both in the past and today, many advisories and CVE bypasses leverage IPv6. IPv6 remains the weakest link, as it is rarely configured correctly and seldom tested. In this case, while IPv4 was properly blocked, the corresponding IPv6 blocking logic was completely broken and never actually worked.,

AnalysisAI

The dssrf Node.js library (versions < 1.3.0) allows Server-Side Request Forgery (SSRF) protection bypass through IPv6 addresses targeting internal resources. Attackers can craft HTTP requests using IPv6 loopback (::1), unique local addresses (fc00::/7), link-local addresses (fe80::/10), IPv4-mapped IPv6 addresses (::ffff:127.0.0.1, ::ffff:169.254.169.254), NAT64 prefixes, and other IPv6 categories to access internal services, cloud metadata endpoints (IMDS), and private networks that the library was explicitly designed to block. The vulnerability directly contradicts dssrf documentation claiming IPv6 is disabled entirely, and a publicly available exploit code (POC) demonstrates all affected IPv6 categories. Patch available in version 1.3.0.

Technical ContextAI

The dssrf npm package (CPE: pkg:npm/dssrf) is a security library designed to prevent Server-Side Request Forgery attacks by validating URL safety before Node.js applications make outbound HTTP requests. The vulnerability stems from CWE-791 (Incomplete Filtering of Special Elements), specifically the failure to implement IPv6 address validation logic that parallels its IPv4 protections. While the library correctly blocks IPv4 private ranges (127.0.0.0/8, 10.0.0.0/8, 169.254.0.0/16) and RFC1918 space, it completely fails to filter IPv6 equivalents including loopback (::1/128), unique local addresses (fc00::/7 and deprecated fec0::/10), link-local (fe80::/10), IPv4-mapped IPv6 addresses (::ffff:0:0/96 wrapping private IPv4 space), IPv4-compatible addresses (deprecated ::/96 format), NAT64 well-known prefix (64:ff9b::/96) and local-use prefix (64:ff9b:1::/48), SRv6 SID space (5f00::/16), and IPv6 documentation ranges (3fff::/20). This oversight allows attackers to target AWS/GCP/Azure instance metadata services at ::ffff:169.254.169.254, internal APIs, and cloud admin endpoints through IPv6 notation that bypasses URL safety checks.

RemediationAI

Immediately upgrade to dssrf version 1.3.0 or later, which addresses all IPv6 bypass categories documented in the advisory. Update via npm with 'npm install dssrf@latest' or 'npm update dssrf', then verify package.json and package-lock.json reflect version 1.3.0+. Organizations requiring immediate risk reduction before patching can implement compensating controls: (1) Deploy network-level egress filtering to block outbound connections to RFC1918 IPv4 space, IPv6 ULA (fc00::/7), link-local (fe80::/10), loopback addresses, and cloud metadata endpoints (169.254.169.254 for both IPv4 and ::ffff:169.254.169.254 IPv6-mapped) at firewall or security group level, though this adds operational complexity and may break legitimate internal service communication; (2) Implement application-layer validation using an alternative SSRF protection library that explicitly supports IPv6 filtering (verify through security audit or published test suite); (3) Disable IPv6 at the host network stack level if the application does not require IPv6 connectivity (sysctl net.ipv6.conf.all.disable_ipv6=1 on Linux), though this prevents legitimate IPv6 usage and is not viable for dual-stack environments. Note that relying solely on dssrf versions < 1.3.0 with any compensating control still leaves gaps - upgrade to 1.3.0 is the only complete remediation. Advisory and patch details: https://github.com/advisories/GHSA-8p33-q827-ghj5.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

CVE-2026-44232 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy