CVE-2025-8267 – The ssrfcheck package versions before 1.2.0 are... (How to Fix)

📋 TL;DR

The ssrfcheck package versions before 1.2.0 are vulnerable to Server-Side Request Forgery (SSRF) due to an incomplete IP address denylist that fails to block multicast addresses (224.0.0.0/4). This allows attackers to craft requests that bypass SSRF protections and target multicast networks. Any application using vulnerable versions of ssrfcheck for SSRF validation is affected.

💻 Affected Systems

Products:

ssrfcheck

Versions: All versions before 1.2.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using ssrfcheck for SSRF validation. The vulnerability exists in the library's IP validation logic.

📦 What is this software?

Ssrf Check by Felipperegazio

View all CVEs affecting Ssrf Check →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could bypass SSRF protections entirely, potentially reaching internal services, cloud metadata endpoints, or other restricted resources that would normally be blocked.

🟠

Likely Case

Attackers can probe internal networks via multicast addresses, potentially discovering internal services or conducting network reconnaissance.

🟢

If Mitigated

With proper network segmentation and egress filtering, impact is limited to multicast network probing with minimal data exposure.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the application to process user-controlled URLs. The vulnerability is well-documented with public proof-of-concept available in the GitHub issue.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.0

Vendor Advisory: https://github.com/felippe-regazio/ssrfcheck/commit/9507b49fd764f2a1a1d1e3b9ee577b7545e6950e

Restart Required: No

Instructions:

1. Update ssrfcheck to version 1.2.0 or later using npm: npm update ssrfcheck
2. Verify the update with: npm list ssrfcheck
3. Test SSRF validation with multicast addresses to confirm blocking.

🔧 Temporary Workarounds

Custom IP validation wrapper

all

Implement additional validation to block multicast addresses (224.0.0.0/4) before passing URLs to ssrfcheck

🧯 If You Can't Patch

Implement network egress filtering to block outbound traffic to multicast addresses (224.0.0.0/4)
Use a web application firewall (WAF) with SSRF protection rules to block requests to multicast addresses

🔍 How to Verify

Check if Vulnerable:

Check package.json or run: npm list ssrfcheck | grep ssrfcheck

Check Version:

npm list ssrfcheck | grep ssrfcheck

Verify Fix Applied:

Test SSRF validation with a multicast address (e.g., 224.0.0.1) - it should be rejected in version 1.2.0+

📡 Detection & Monitoring

Log Indicators:

Outbound HTTP requests to IP addresses in 224.0.0.0/4 range
SSRF validation failures for multicast addresses

Network Indicators:

Outbound traffic to multicast IP ranges from web servers
Unusual destination IPs in 224.0.0.0/4

SIEM Query:

destination.ip IN (224.0.0.0/4) AND process.name CONTAINS 'node'

📊 Metadata

CVE ID: CVE-2025-8267

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CWE: CWE-918

EPSS Score: 0.07% exploit probability (21.2th percentile)

Published: July 28, 2025

Last Updated: August 7, 2025

🔗 References

https://gist.github.com/lirantal/2976840639df824cb3abe60d13c65e04 Exploit,Third Party Advisory
https://github.com/felippe-regazio/ssrfcheck/commit/9507b49fd764f2a1a1d1e3b9ee577b7545e6950e Patch
https://github.com/felippe-regazio/ssrfcheck/issues/5 Issue Tracking
https://security.snyk.io/vuln/SNYK-JS-SSRFCHECK-9510756 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-8267, you might also want to check these: