Homepage

Server-Side Request Forgery (SSRF) Affecting private-ip package, versions *

Severity

 Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Server-Side Request Forgery (SSRF) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-PRIVATEIP-9510757
  • published22 Jul 2025
  • disclosed23 Mar 2025
  • creditLiran Tal
Report a new vulnerability Found a mistake?

Introduced: 23 Mar 2025

CVE-2025-8020  (opens in a new tab)
CWE-918  (opens in a new tab)
First added by Snyk

How to fix?

There is no fixed version for private-ip.

Overview

private-ip is a Check if IP address is private.

Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) where an attacker can provide an IP or hostname that resolves to a multicast IP address (224.0.0.0/4) which is not included as part of the private IP ranges in the package's source code.

PoC

  1. Define an app.js file with the programmatic API of private-ip as follows:
import is_ip_private from 'private-ip'
import ipaddr from 'ipaddr.js'


// -- private-ip
console.log(is_ip_private('127.0.0.1'))
console.log(is_ip_private('10.0.0.0'))
console.log(is_ip_private('169.254.0.1'))
console.log(is_ip_private('239.255.255.250'))


// -- ipaddr.js
console.log(ipaddr.parse('127.0.0.1').range())
console.log(ipaddr.parse('10.0.0.0').range())
console.log(ipaddr.parse('169.254.0.1').range())
console.log(ipaddr.parse('239.255.255.250').range())

  1. Run the app.js file

  2. Observe that the private-ip package does not detect the multicast IP address 239.255.255.250 as a private IP address and returns true for all 4 checks.

References

CVSS Base Scores

version 4.0
version 3.1