CVE-2025-8267: CVE-2025-8267: Server-Side Request Forgery Bypass via Multicast Address Exclusion in ssrfcheck

CVE-2025-8267: Server-Side Request Forgery Bypass via Multicast Address Exclusion in ssrfcheck

Vulnerability ID: CVE-2025-8267
CVSS Score: 8.8
Published: 2026-05-05

The ssrfcheck npm package before version 1.2.0 contains a Server-Side Request Forgery (SSRF) vulnerability due to an incomplete blocklist of reserved IP address ranges. By omitting the IPv4 Multicast range (224.0.0.0/4), the library allows attackers to bypass validation and issue requests targeting internal network infrastructure.

TL;DR

A flaw in the ssrfcheck npm library (< 1.2.0) allows attackers to bypass SSRF protections by providing URLs resolving to IPv4 Multicast addresses. This enables targeted requests against internal services such as UPnP and mDNS.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-918
• Attack Vector: Network
• CVSS v4.0: 8.8 (High)
• CVSS v3.1: 8.2 (High)
• EPSS Score: 0.00119
• Exploit Status: Proof-of-Concept Available
• CISA KEV: Not Listed

Affected Systems

• Node.js applications utilizing ssrfcheck < 1.2.0
• Internal network infrastructure exposed to multicast routing (SSDP, UPnP, mDNS)
• ssrfcheck: < 1.2.0 (Fixed in: 1.2.0)

Code Analysis

Commit: 9507b49

Security patch to include missing multicast range 224.0.0.0/4 to the internal private CIDR blocklist.

Exploit Details

• GitHub Gist: Technical bypass and disclosure by Liran Tal detailing the IPv4 Multicast attack vector.

Mitigation Strategies

• Upgrade the ssrfcheck dependency to version 1.2.0 or later to implement the complete private CIDR blocklist.
• Enforce network-level egress filtering to drop traffic directed at the 224.0.0.0/4 IPv4 Multicast range.
• Implement comprehensive strict allow-listing for outbound network connections where business requirements permit.
• Audit secondary validation logic for missing IPv6 reserves, such as ff00::/8.

Remediation Steps:

1. Run npm audit or use equivalent dependency scanning tools to identify projects utilizing vulnerable versions of ssrfcheck.
2. Update the package.json dependency requirement to >=1.2.0.
3. Execute npm install or yarn install to update the lockfile and download the patched package.
4. Deploy the updated application and verify that validation tests utilizing 239.255.255.250 now return a failure state.

References

• NVD Record CVE-2025-8267
• Snyk Advisory SNYK-JS-SSRFCHECK-9510756
• Fix Commit in ssrfcheck repository
• GitHub Issue #5 Documenting Bypass
• Technical Bypass Gist by lirantal
• GitHub Advisory GHSA-c2fv-2fmj-9xrx

---

Read the full report for CVE-2025-8267 on our website for more details including interactive diagrams and full exploit analysis.