Cyber Resilience

CVE-2025-2691

HighPublic PoC

Published: 23 March 2025

Published
23 March 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 7.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0003 8.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2691 is a high-severity SSRF (CWE-918) vulnerability in Nossrf Project Nossrf. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-2691, published on 2025-03-23, affects versions of the JavaScript package nossrf prior to 1.0.4. This vulnerability is a Server-Side Request Forgery (SSRF) issue classified under CWE-918, where an attacker can bypass the package's SSRF protection mechanism by supplying a hostname that resolves to a local or reserved IP address space. The flaw carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating high severity due to its network accessibility, low attack complexity, and lack of prerequisites.

Unauthenticated attackers with network access can exploit this vulnerability without user interaction. By providing malicious hostnames to the affected nossrf package, they can circumvent SSRF mitigations, enabling requests to internal or reserved IP spaces. This achieves high confidentiality impact by potentially exposing sensitive internal resources and low integrity impact through limited manipulation capabilities.

The Snyk security advisory at https://security.snyk.io/vuln/SNYK-JS-NOSSRF-9510842 details the vulnerability and confirms that it is remediated in nossrf version 1.0.4. Practitioners should upgrade to this version or later in affected applications to prevent exploitation.

EU & UK References

Vulnerability details

Versions of the package nossrf before 1.0.4 are vulnerable to Server-Side Request Forgery (SSRF) where an attacker can provide a hostname that resolves to a local or reserved IP address space and bypass the SSRF protection mechanism.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SSRF vulnerability in public-facing JavaScript package enables exploitation of applications to access internal resources.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-6514Shared CWE-918
CVE-2026-44116Shared CWE-918
CVE-2026-21887Shared CWE-918
CVE-2026-31910Shared CWE-918
CVE-2026-48153Shared CWE-918
CVE-2026-45298Shared CWE-918
CVE-2026-39362Shared CWE-918
CVE-2026-31989Shared CWE-918
CVE-2025-27652Shared CWE-918
CVE-2026-42352Shared CWE-918

Affected Assets

nossrf project
nossrf
≤ 1.0.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2025-2691 by requiring timely remediation of the SSRF bypass flaw through upgrading nossrf to version 1.0.4 or later.

prevent

Validates untrusted hostname inputs to detect and block those resolving to local or reserved IP addresses, preventing SSRF exploitation.

prevent

Enforces information flow policies that restrict server-side requests to authorized external destinations, blocking unauthorized access to internal resources via SSRF.

References