{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/dssrf--1.3.0/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["dssrf (\u003c 1.3.0)"],"_cs_severities":["high"],"_cs_tags":["ssrf","vulnerability","ipv6","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eThe dssrf npm package, designed to prevent Server-Side Request Forgery (SSRF) attacks, contains a flaw that permits attackers to bypass its protections. This bypass is achieved by supplying specific IPv6 addresses that the \u003ccode\u003eis_url_safe\u003c/code\u003e function fails to properly validate. The dssrf documentation incorrectly states that IPv6 is disabled entirely, leading to a false sense of security.  The vulnerability affects versions prior to 1.3.0. This allows attackers to potentially access internal network resources or conduct other malicious activities by crafting requests that appear safe but are ultimately routed to unintended destinations. This issue was reported responsibly, and users are urged to update to version 1.3.0 immediately.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a web application utilizing a vulnerable version of the \u003ccode\u003edssrf\u003c/code\u003e npm package for URL safety checks.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious URL containing an IPv6 address designed to bypass the \u003ccode\u003eis_url_safe\u003c/code\u003e function, such as \u003ccode\u003ehttp://[::1]/\u003c/code\u003e (IPv6 loopback) or \u003ccode\u003ehttp://[::ffff:169.254.169.254]/\u003c/code\u003e (IPv4-mapped IMDS).\u003c/li\u003e\n\u003cli\u003eThe web application, relying on the flawed \u003ccode\u003edssrf.is_url_safe\u003c/code\u003e function, incorrectly identifies the malicious URL as safe.\u003c/li\u003e\n\u003cli\u003eThe web application then uses the \u0026ldquo;safe\u0026rdquo; URL to make an HTTP request using standard libraries like \u003ccode\u003enode-fetch\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to the bypassed SSRF protection, the request is sent to the attacker-specified IPv6 address, potentially targeting internal resources or services.\u003c/li\u003e\n\u003cli\u003eThe internal service processes the attacker\u0026rsquo;s request, potentially exposing sensitive data or allowing unauthorized actions.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the response from the internal service, successfully exfiltrating data or manipulating internal systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to bypass SSRF protections, potentially granting access to internal network resources, sensitive data, or unintended services.  The number of affected applications is currently unknown, but any application using a vulnerable version of \u003ccode\u003edssrf\u003c/code\u003e (\u0026lt; 1.3.0) is susceptible.  This could lead to data breaches, unauthorized access to cloud metadata services, or other internal service exploitation.  The vulnerable package has had over 10,000 weekly downloads, demonstrating widespread use and potential impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003edssrf\u003c/code\u003e npm package to version 1.3.0 or later to remediate the vulnerability as advised in the advisory (\u003ca href=\"https://github.com/advisories/GHSA-8p33-q827-ghj5)\"\u003ehttps://github.com/advisories/GHSA-8p33-q827-ghj5)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eImplement additional server-side input validation to filter URLs containing potentially malicious IPv6 addresses, complementing the \u003ccode\u003edssrf\u003c/code\u003e package.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to identify attempts to bypass SSRF protections by using IPv6 addresses in URLs (see Sigma rule below).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-06T18:13:32Z","date_published":"2026-05-06T18:13:32Z","id":"/briefs/2024-01-dssrf-ipv6-bypass/","summary":"A vulnerability in the dssrf npm package allows attackers to bypass SSRF protections by using specially crafted IPv6 addresses, despite documentation claiming IPv6 is disabled, which can lead to internal resource access or other malicious activities.","title":"dssrf SSRF Protection Bypass via IPv6 Addresses","url":"https://feed.craftedsignal.io/briefs/2024-01-dssrf-ipv6-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Dssrf (\u003c 1.3.0)","version":"https://jsonfeed.org/version/1.1"}