CVE-2025-8267
Published: 28 July 2025
Summary
CVE-2025-8267 is a high-severity SSRF (CWE-918) vulnerability in Felipperegazio Ssrf Check. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-8267 is a Server-Side Request Forgery (SSRF) vulnerability (CWE-918) affecting versions of the Node.js package ssrfcheck prior to 1.2.0. The flaw stems from an incomplete denylist of IP address ranges, specifically failing to classify the reserved multicast IP space 224.0.0.0/4 as invalid. This allows attackers to bypass input validation and direct the application to issue requests to these multicast addresses. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating high severity due to network accessibility and significant confidentiality impact.
Any unauthenticated attacker with network access to an application using vulnerable ssrfcheck versions can exploit this by crafting malicious URLs targeting 224.0.0.0/4 addresses. Successful exploitation enables the attacker to force the server to make unintended requests to multicast endpoints, potentially leading to high confidentiality impacts such as unauthorized access to internal resources or services listening on those addresses, with low integrity impact and no availability disruption.
Advisories and patches recommend upgrading to ssrfcheck version 1.2.0 or later, where the denylist has been updated via commit 9507b49fd764f2a1a1d1e3b9ee577b7545e6950e to properly block 224.0.0.0/4. Snyk's security advisory (SNYK-JS-SSRFCHECK-9510756) and the project's GitHub issue #5 detail the fix, emphasizing validation of all reserved IP ranges to prevent SSRF bypasses.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-22851
Vulnerability details
Versions of the package ssrfcheck before 1.2.0 are vulnerable to Server-Side Request Forgery (SSRF) due to an incomplete denylist of IP address ranges. Specifically, the package fails to classify the reserved IP address space 224.0.0.0/4 (Multicast) as invalid. This oversight…
more
allows attackers to craft requests targeting these multicast addresses.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing Node.js package directly enables exploitation of T1190 to bypass validation and issue requests to restricted multicast addresses.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 mandates validation of information inputs, directly addressing the incomplete IP denylist in ssrfcheck by requiring checks against reserved multicast ranges like 224.0.0.0/4.
SI-2 requires timely identification and remediation of flaws, such as patching ssrfcheck to version 1.2.0 which adds the missing 224.0.0.0/4 block.
SC-7 enforces boundary protection to monitor and control outbound communications, mitigating SSRF attempts to multicast addresses even if input validation is bypassed.