CVE-2025-8267
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-28

Last updated on: 2026-04-29

Assigner: Snyk

Description
Versions of the package ssrfcheck before 1.2.0 are vulnerable to Server-Side Request Forgery (SSRF) due to an incomplete denylist of IP address ranges. Specifically, the package fails to classify the reserved IP address space 224.0.0.0/4 (Multicast) as invalid. This oversight allows attackers to craft requests targeting these multicast addresses.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-28
Last Modified
2026-04-29
Generated
2026-05-07
AI Q&A
2025-07-28
EPSS Evaluated
2026-05-05
NVD
CVE-2025-8267
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
felipperegazio ssrf_check to 1.2.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-8267 is a Server-Side Request Forgery (SSRF) vulnerability in the npm package ssrfcheck versions before 1.2.0. The vulnerability occurs because ssrfcheck fails to classify the reserved multicast IP address range 224.0.0.0/4 as invalid. This incomplete denylist allows attackers to craft SSRF requests targeting these multicast addresses, bypassing the package's SSRF protections. [1, 3, 4]


How can this vulnerability impact me? :

This vulnerability can allow attackers to bypass SSRF protections in applications using vulnerable versions of ssrfcheck. By exploiting the incomplete denylist, attackers can send crafted requests to multicast IP addresses that should be blocked, potentially leading to unauthorized internal network access or information disclosure. The vulnerability has a high severity score (CVSS v4.0 base score 8.8) indicating a significant risk if exploited. [1, 3, 4]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking if your system or application uses the ssrfcheck package version prior to 1.2.0, which fails to classify the multicast IP address range 224.0.0.0/4 as invalid. To detect potential exploitation attempts, you can monitor network traffic or logs for requests targeting multicast IP addresses within 224.0.0.0/4. For example, you can use network monitoring tools or commands like `tcpdump` or `wireshark` to filter traffic to multicast addresses. A sample tcpdump command to detect such traffic could be: `tcpdump -n dst net 224.0.0.0/4`. Additionally, checking your package version with `npm list ssrfcheck` or inspecting your dependency tree can help identify if you are using a vulnerable version. [3, 4]


What immediate steps should I take to mitigate this vulnerability?

The immediate step to mitigate this vulnerability is to upgrade the ssrfcheck package to version 1.2.0 or later, where the multicast IP address range 224.0.0.0/4 is properly included in the denylist, preventing SSRF bypasses. If upgrading is not immediately possible, consider implementing additional network-level controls to block outbound requests to multicast IP ranges (224.0.0.0/4) and monitor for suspicious SSRF activity targeting these addresses. [3, 4, 2]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart