Plattform
nodejs
Komponente
private-ip
Behoben in
3.0.3
CVE-2025-8020 identifies a Server-Side Request Forgery (SSRF) vulnerability within the private-ip Node.js package. This flaw allows attackers to manipulate the package into making requests to unintended destinations, potentially exposing internal resources or facilitating network reconnaissance. Versions of private-ip prior to version * are affected, and a fix is available in the latest release.
The SSRF vulnerability in private-ip allows an attacker to craft requests that the package will execute on the server. Because the package doesn't properly validate IP addresses, it's possible to provide a hostname or IP address that resolves to a multicast IP address (224.0.0.0/4). While multicast addresses themselves aren't directly exploitable for data exfiltration, they can be used to probe the internal network and identify services listening on those addresses. This reconnaissance can then be used to identify other vulnerabilities or misconfigurations. The blast radius extends to any internal network segment accessible from the server running the vulnerable private-ip package.
CVE-2025-8020 was publicly disclosed on 2025-07-23. The EPSS score is currently pending evaluation. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature makes it likely that a PoC will emerge. It is not currently listed on the CISA KEV catalog.
Applications and services that rely on the private-ip Node.js package for IP address manipulation are at risk. This includes internal tools, APIs, and microservices that process IP addresses as part of their functionality. Specifically, deployments using older versions of Node.js and relying on outdated package versions are particularly vulnerable.
• nodejs / server:
npm list private-ipThis command will list the installed version of the private-ip package. Check if the version is less than or equal to 3.0.2.
• nodejs / server:
grep -r 'private-ip' package.jsonSearch for the package in your project's package.json file to identify dependencies.
• generic web:
Review application logs for unusual outbound requests to multicast IP addresses (224.0.0.0/4).
disclosure
Exploit-Status
EPSS
0.02% (4% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-8020 is to upgrade to the latest version of the private-ip package, which contains a fix for the SSRF vulnerability. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing input validation on the server-side to restrict the IP addresses that the private-ip package can process. Additionally, a Web Application Firewall (WAF) could be configured to block requests containing suspicious IP addresses or hostnames. After upgrading, confirm the fix by attempting to send a request with a multicast IP address and verifying that it is rejected.
Aktualisieren Sie das Paket private-ip auf die neueste verfügbare Version. Dies behebt die SSRF-Schwachstelle, indem die Multicast-Adressen in die Liste der privaten IP-Bereiche aufgenommen werden. Führen Sie `npm install private-ip@latest` oder `yarn upgrade private-ip@latest` aus, um zu aktualisieren.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-8020 is a Server-Side Request Forgery (SSRF) vulnerability affecting versions of the private-ip Node.js package up to 3.0.2, allowing attackers to potentially access internal resources.
You are affected if you are using the private-ip Node.js package version 3.0.2 or earlier. Check your project dependencies to determine if you are using a vulnerable version.
Upgrade to the latest version of the private-ip package. If immediate upgrade is not possible, implement server-side input validation to restrict IP address processing.
While no active exploitation has been confirmed, the vulnerability's nature makes it likely that exploitation attempts may occur. Monitor your systems for suspicious activity.
Refer to the package's repository or the maintainer's communication channels for the official advisory regarding CVE-2025-8020.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.