CVE-2025-8267: CVE-2025-8267: Server-Side Request Forgery Bypass via Multicast Address Exclusion …

1 / 2

CVE-2025-8267: CVE-2025-8267: Server-Side Request Forgery Bypass via Multicast Address Exclusion in ssrfcheck

DEV Community·CVE Reports·27 days ago

#rkTOhc2G

#exploit #security #cve #cybersecurity #ssrfcheck #multicast

Reading 0:00

15s threshold

CVE-2025-8267: Server-Side Request Forgery Bypass via Multicast Address Exclusion in ssrfcheck Vulnerability ID: CVE-2025-8267 CVSS Score: 8.8 Published: 2026-05-05 The ssrfcheck npm package before version 1.2.0 contains a Server-Side Request Forgery (SSRF) vulnerability due to an incomplete blocklist of reserved IP address ranges. By omitting the IPv4 Multicast range (224.0.0.0/4), the library allows attackers to bypass validation and issue requests targeting internal network infrastructure. TL;DR A flaw in the ssrfcheck npm library (< 1.2.0) allows attackers to bypass SSRF protections by providing URLs resolving to IPv4 Multicast addresses. This enables targeted requests against internal services such as UPnP and mDNS.…

Continue reading — create a free account

Join HashtagPLUS to read full articles, follow hashtags, vote, and join the conversation.

Create free account Log in

Menu

CVE-2025-8267: CVE-2025-8267: Server-Side Request Forgery Bypass via Multicast Address Exclusion in ssrfcheck