Cyber Resilience

CVE-2025-8267

HighPublic PoC

Published: 28 July 2025

Published
28 July 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 7.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0012 30.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-8267 is a high-severity SSRF (CWE-918) vulnerability in Felipperegazio Ssrf Check. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-8267 is a Server-Side Request Forgery (SSRF) vulnerability (CWE-918) affecting versions of the Node.js package ssrfcheck prior to 1.2.0. The flaw stems from an incomplete denylist of IP address ranges, specifically failing to classify the reserved multicast IP space 224.0.0.0/4 as invalid. This allows attackers to bypass input validation and direct the application to issue requests to these multicast addresses. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating high severity due to network accessibility and significant confidentiality impact.

Any unauthenticated attacker with network access to an application using vulnerable ssrfcheck versions can exploit this by crafting malicious URLs targeting 224.0.0.0/4 addresses. Successful exploitation enables the attacker to force the server to make unintended requests to multicast endpoints, potentially leading to high confidentiality impacts such as unauthorized access to internal resources or services listening on those addresses, with low integrity impact and no availability disruption.

Advisories and patches recommend upgrading to ssrfcheck version 1.2.0 or later, where the denylist has been updated via commit 9507b49fd764f2a1a1d1e3b9ee577b7545e6950e to properly block 224.0.0.0/4. Snyk's security advisory (SNYK-JS-SSRFCHECK-9510756) and the project's GitHub issue #5 detail the fix, emphasizing validation of all reserved IP ranges to prevent SSRF bypasses.

EU & UK References

Vulnerability details

Versions of the package ssrfcheck before 1.2.0 are vulnerable to Server-Side Request Forgery (SSRF) due to an incomplete denylist of IP address ranges. Specifically, the package fails to classify the reserved IP address space 224.0.0.0/4 (Multicast) as invalid. This oversight…

more

allows attackers to craft requests targeting these multicast addresses.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SSRF in public-facing Node.js package directly enables exploitation of T1190 to bypass validation and issue requests to restricted multicast addresses.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-6514Shared CWE-918
CVE-2026-44116Shared CWE-918
CVE-2026-21887Shared CWE-918
CVE-2026-31910Shared CWE-918
CVE-2026-48153Shared CWE-918
CVE-2026-45298Shared CWE-918
CVE-2026-39362Shared CWE-918
CVE-2026-31989Shared CWE-918
CVE-2025-27652Shared CWE-918
CVE-2026-42352Shared CWE-918

Affected Assets

felipperegazio
ssrf check
≤ 1.2.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 mandates validation of information inputs, directly addressing the incomplete IP denylist in ssrfcheck by requiring checks against reserved multicast ranges like 224.0.0.0/4.

prevent

SI-2 requires timely identification and remediation of flaws, such as patching ssrfcheck to version 1.2.0 which adds the missing 224.0.0.0/4 block.

preventdetect

SC-7 enforces boundary protection to monitor and control outbound communications, mitigating SSRF attempts to multicast addresses even if input validation is bypassed.

References