CVE-2025-15104 – The Nu Html Checker (validator.nu) contains a s... (How to Fix)

Q: What is the severity of CVE-2025-15104?

CVE-2025-15104 has a CVSS score of 5.3 (MEDIUM). The Nu Html Checker (validator.nu) contains a server-side request forgery (SSRF) vulnerability that allows attackers to bypass hostname-based protections and make the server perform HTTP/HTTPS requests to internal resources, including localhost services. This affects all deployments of the Nu Html Checker web service, particularly those exposed to untrusted users who can submit HTML for validation.

📋 TL;DR

The Nu Html Checker (validator.nu) contains a server-side request forgery (SSRF) vulnerability that allows attackers to bypass hostname-based protections and make the server perform HTTP/HTTPS requests to internal resources, including localhost services. This affects all deployments of the Nu Html Checker web service, particularly those exposed to untrusted users who can submit HTML for validation.

💻 Affected Systems

Products:

Nu Html Checker (validator.nu)

Versions: Latest version (commit 23f090a11bab8d0d4e698f1ffc197a4fe226a9cd) and likely earlier versions

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments where the validator service is accessible to untrusted users. Local command-line usage is not affected.

📦 What is this software?

Validator by Validator

View all CVEs affecting Validator →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access sensitive internal services, retrieve credentials from metadata services, interact with internal APIs, or perform reconnaissance on internal network segments.

🟠

Likely Case

Information disclosure from internal services, enumeration of internal network resources, or limited interaction with unprotected internal APIs.

🟢

If Mitigated

Limited impact if network segmentation prevents access to sensitive services and internal services require authentication.

🌐 Internet-Facing: HIGH - The vulnerability allows bypassing of intended restrictions and can be exploited by any user who can submit HTML to the validator service.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit this to pivot within the network, but external access would be prevented.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires DNS rebinding techniques or control of domains that resolve to loopback addresses, but no authentication is needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://github.com/validator/validator

Restart Required: No

Instructions:

Monitor the GitHub repository for security updates. Consider implementing network-level controls as workarounds until a patch is available.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict the validator service's network access to prevent outbound connections to internal resources

iptables -A OUTPUT -p tcp --dport 80 -j DROP
iptables -A OUTPUT -p tcp --dport 443 -j DROP

DNS Filtering

all

Block DNS resolution to localhost and internal IP ranges at the network level

🧯 If You Can't Patch

Isolate the validator service in a restricted network segment with no access to internal resources
Implement strict egress filtering to only allow necessary outbound connections from the validator service

🔍 How to Verify

Check if Vulnerable:

Test if the validator service can be made to request internal resources by submitting HTML with specially crafted URLs that bypass hostname checks

Check Version:

Check the validator service version or commit hash if running from source

Verify Fix Applied:

Verify that the validator service rejects or cannot reach internal resources when attempting SSRF attacks

📡 Detection & Monitoring

Log Indicators:

Unusual outbound HTTP/HTTPS requests from validator service to internal IP addresses
Multiple validation requests with similar URL patterns

Network Indicators:

HTTP requests from validator service to localhost/127.0.0.1 or internal network ranges
DNS queries for domains that resolve to loopback addresses

SIEM Query:

source="validator-service" AND (dest_ip=127.0.0.1 OR dest_ip=::1 OR dest_ip IN [10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16])

📊 Metadata

CVE ID: CVE-2025-15104

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-918

EPSS Score: 0.05% exploit probability (16.7th percentile)

Published: January 16, 2026

Last Updated: January 23, 2026

🔗 References

https://fluidattacks.com/advisories/europe Exploit,Third Party Advisory
https://github.com/validator/validator Product
https://fluidattacks.com/advisories/europe Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15104, you might also want to check these: