{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/npmjs/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2025-8267"}],"_cs_exploited":false,"_cs_products":["ssrfcheck (\u003c 1.2.0)"],"_cs_severities":["high"],"_cs_tags":["ssrf","vulnerability","npm"],"_cs_type":"advisory","_cs_vendors":["npmjs"],"content_html":"\u003cp\u003eThe \u003ccode\u003essrfcheck\u003c/code\u003e npm package, designed to protect against Server-Side Request Forgery (SSRF) attacks, contains a vulnerability due to an incomplete IP address denylist. Specifically, the package fails to classify the reserved IP address space \u003ccode\u003e224.0.0.0/4\u003c/code\u003e (Multicast) as invalid. This omission allows attackers to bypass the intended SSRF protection mechanisms. The vulnerability affects all versions of \u003ccode\u003essrfcheck\u003c/code\u003e up to and including version \u003ccode\u003e1.1.1\u003c/code\u003e. This issue came to light in early May 2026. Although multicast addresses are typically used for local network communication, their acceptance by \u003ccode\u003essrfcheck\u003c/code\u003e deviates from established security practices and could be exploited in certain SSRF scenarios. The maintainers have released version 1.2.0 to address this vulnerability, incorporating the missing reserved IP range into the denylist.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a web application that utilizes the vulnerable \u003ccode\u003essrfcheck\u003c/code\u003e package for URL validation.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious URL containing an address within the \u003ccode\u003e224.0.0.0/4\u003c/code\u003e IP range (e.g., \u003ccode\u003e239.255.255.250\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe web application uses \u003ccode\u003essrfcheck\u003c/code\u003e\u0026rsquo;s \u003ccode\u003eisSSRFSafeURL\u003c/code\u003e function to validate the URL.\u003c/li\u003e\n\u003cli\u003eDue to the missing IP range in \u003ccode\u003essrfcheck\u003c/code\u003e\u0026rsquo;s denylist, the function incorrectly returns \u003ccode\u003etrue\u003c/code\u003e, indicating the URL is safe.\u003c/li\u003e\n\u003cli\u003eThe web application proceeds to make a request to the attacker-controlled multicast address.\u003c/li\u003e\n\u003cli\u003eThe request is routed within the internal network, potentially targeting internal services or resources that are not exposed to the public internet.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive data or functionality within the internal network.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the obtained information or uses the compromised service as a pivot point for further attacks within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability could allow attackers to bypass intended security controls and access internal network resources. While the use of multicast addresses may limit the scope of potential attacks, it still presents a risk of unauthorized access to sensitive information and systems. The vulnerability affects all users of the \u003ccode\u003essrfcheck\u003c/code\u003e package up to version 1.1.1. Web applications relying on \u003ccode\u003essrfcheck\u003c/code\u003e for SSRF protection are vulnerable until the package is updated to version 1.2.0 or later.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003essrfcheck\u003c/code\u003e package to version 1.2.0 or later to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSSRFCheck_Multicast_Bypass\u003c/code\u003e to detect attempts to exploit this vulnerability in your environment.\u003c/li\u003e\n\u003cli\u003eReview and audit any custom SSRF protection mechanisms that may be in place to ensure they adequately address reserved IP address spaces.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections to multicast addresses originating from web applications that rely on URL validation.\u003c/li\u003e\n\u003cli\u003eUpdate your vulnerability management system to include CVE-2025-8267 for tracking and remediation purposes.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of potential SSRF attacks, even if the vulnerable package is exploited.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-05T20:29:06Z","date_published":"2026-05-05T20:29:06Z","id":"/briefs/2024-01-ssrfcheck-bypass/","summary":"The `ssrfcheck` npm package is vulnerable to SSRF bypass due to an incomplete denylist of IP addresses. The package fails to classify the reserved IP address space 224.0.0.0/4 (Multicast) as invalid, allowing potential SSRF attacks. All versions up to and including 1.1.1 are affected. A patch has been released in version 1.2.0.","title":"ssrfcheck SSRF Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-ssrfcheck-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Npmjs","version":"https://jsonfeed.org/version/1.1"}