Description
DSSRF is a Node.js library that provides a wide range of utilities and advanced SSRF defense checks. Prior to 1.3.0, every IPv6 category bypasses is_url_safe. This vulnerability is fixed in 1.3.0.
Published: 2026-05-12
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in the dssrf-js Node.js library. Before version 1.3.0, the is_url_safe routine considers every IPv6 address to be safe, allowing an attacker to inject URLs that the library will deem legitimate. As a result, code that uses dssrf-js can inadvertently resolve internal network addresses that should be blocked, creating a classic SSRF bypass. The flaw can lead to retrieval of sensitive internal data or execution of code on internal services that the application can reach. The weakness is classified as CWE‑791.

Affected Systems

The affected product is HackingRepo's dssrf-js library, versions prior to 1.3.0. The fix is available in 1.3.0 and later.

Risk and Exploitability

The CVSS score of 8.7 signals high severity. The EPSS score is not listed, so the current exploitation probability is unknown, and the vulnerability is not yet reported in CISA KEV, suggesting no confirmed public exploits. Attackers who can supply arbitrary URLs to an application that uses dssrf-js can exploit the unsafe IPv6 handling to reach internal hosts. The vulnerability therefore poses a significant risk in environments where the library is exposed to untrusted input. The likely attack vector is remote, contingent on the application’s exposure, and requires an attacker who can influence the URL being passed to the library.

Generated by OpenCVE AI on May 12, 2026 at 22:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade dssrf-js to version 1.3.0 or later, which removes the false safety assumption for IPv6 addresses.
  • Implement input validation that rejects or sanitizes unexpected IPv6 addresses before invoking the library.
  • Restrict network access from the application server to internal services using firewall rules or network segmentation to mitigate the impact of any SSRF attempts.

Generated by OpenCVE AI on May 12, 2026 at 22:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8p33-q827-ghj5 dssrf: every IPv6 category bypasses is_url_safe
History

Tue, 12 May 2026 21:00:00 +0000

Type Values Removed Values Added
Description DSSRF is a Node.js library that provides a wide range of utilities and advanced SSRF defense checks. Prior to 1.3.0, every IPv6 category bypasses is_url_safe. This vulnerability is fixed in 1.3.0.
Title dssrf: every IPv6 category bypasses is_url_safe
Weaknesses CWE-791
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T20:28:56.918Z

Reserved: 2026-05-05T15:42:40.518Z

Link: CVE-2026-44232

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T21:16:16.270

Modified: 2026-05-12T21:16:16.270

Link: CVE-2026-44232

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T23:00:12Z

Weaknesses