CVE-2025-2691
Published: 23 March 2025
Summary
CVE-2025-2691 is a high-severity SSRF (CWE-918) vulnerability in Nossrf Project Nossrf. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-2691, published on 2025-03-23, affects versions of the JavaScript package nossrf prior to 1.0.4. This vulnerability is a Server-Side Request Forgery (SSRF) issue classified under CWE-918, where an attacker can bypass the package's SSRF protection mechanism by supplying a hostname that resolves to a local or reserved IP address space. The flaw carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating high severity due to its network accessibility, low attack complexity, and lack of prerequisites.
Unauthenticated attackers with network access can exploit this vulnerability without user interaction. By providing malicious hostnames to the affected nossrf package, they can circumvent SSRF mitigations, enabling requests to internal or reserved IP spaces. This achieves high confidentiality impact by potentially exposing sensitive internal resources and low integrity impact through limited manipulation capabilities.
The Snyk security advisory at https://security.snyk.io/vuln/SNYK-JS-NOSSRF-9510842 details the vulnerability and confirms that it is remediated in nossrf version 1.0.4. Practitioners should upgrade to this version or later in affected applications to prevent exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7318
Vulnerability details
Versions of the package nossrf before 1.0.4 are vulnerable to Server-Side Request Forgery (SSRF) where an attacker can provide a hostname that resolves to a local or reserved IP address space and bypass the SSRF protection mechanism.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF vulnerability in public-facing JavaScript package enables exploitation of applications to access internal resources.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CVE-2025-2691 by requiring timely remediation of the SSRF bypass flaw through upgrading nossrf to version 1.0.4 or later.
Validates untrusted hostname inputs to detect and block those resolving to local or reserved IP addresses, preventing SSRF exploitation.
Enforces information flow policies that restrict server-side requests to authorized external destinations, blocking unauthorized access to internal resources via SSRF.