Versions of the package ssrfcheck before 1.2.0 are vulnerable to Server-Side Request Forgery (SSRF) due to an incomplete denylist of IP address ranges. Specifically, the package fails to classify the reserved IP address space 224.0.0.0/4 (Multicast) as invalid. This oversight allows attackers to craft requests targeting these multicast addresses.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Thu, 07 Aug 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Felipperegazio
Felipperegazio ssrf Check
CPEs cpe:2.3:a:felipperegazio:ssrf_check:*:*:*:*:*:*:*:*
Vendors & Products Felipperegazio
Felipperegazio ssrf Check

Tue, 29 Jul 2025 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Ssrfcheck
Ssrfcheck ssrfcheck
Vendors & Products Ssrfcheck
Ssrfcheck ssrfcheck

Mon, 28 Jul 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 28 Jul 2025 05:15:00 +0000

Type Values Removed Values Added
Description Versions of the package ssrfcheck before 1.2.0 are vulnerable to Server-Side Request Forgery (SSRF) due to an incomplete denylist of IP address ranges. Specifically, the package fails to classify the reserved IP address space 224.0.0.0/4 (Multicast) as invalid. This oversight allows attackers to craft requests targeting these multicast addresses.
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:P'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}


cve-icon MITRE

Status: PUBLISHED

Assigner: snyk

Published:

Updated: 2025-07-28T16:01:35.358Z

Reserved: 2025-07-27T12:56:36.513Z

Link: CVE-2025-8267

cve-icon Vulnrichment

Updated: 2025-07-28T16:01:31.611Z

cve-icon NVD

Status : Analyzed

Published: 2025-07-28T05:16:20.673

Modified: 2025-08-07T14:42:32.477

Link: CVE-2025-8267

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-07-29T10:01:02Z