Platform
nodejs
Component
nossrf
Fixed in
1.0.4
1.0.4
CVE-2025-2691 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the nossrf Node.js package. This flaw allows attackers to bypass the intended SSRF protection mechanism by manipulating hostname resolution, potentially leading to unauthorized access to internal resources. The vulnerability impacts versions of nossrf released before 1.0.4 and can be resolved by upgrading to the latest version.
The SSRF vulnerability in nossrf allows an attacker to craft requests that appear to originate from the server itself, bypassing security controls designed to prevent access to internal services. By providing a hostname that resolves to a local or reserved IP address, an attacker can circumvent the SSRF protection and potentially access sensitive data or internal systems. This could include accessing databases, configuration files, or other internal APIs. The impact is amplified if the server is exposed to the internet or if the attacker can leverage the vulnerability to pivot to other internal systems, leading to a broader compromise.
CVE-2025-2691 was publicly disclosed on March 23, 2025. The vulnerability's exploitation probability is considered medium due to the relatively simple nature of SSRF exploitation and the widespread use of Node.js in various applications. There are currently no known public proof-of-concept exploits, but the SSRF nature of the vulnerability makes it likely that one will emerge. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.14% (34% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-2691 is to immediately upgrade the nossrf package to version 1.0.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter requests based on hostname resolution. Specifically, block requests where the hostname resolves to local or reserved IP address ranges. Additionally, review and restrict the allowed hostnames within your application's code to minimize the attack surface. After upgrading, confirm the fix by attempting to trigger an SSRF request with a local IP address; the request should be blocked.
Update the nossrf package version to 1.0.4 or higher. This can be done by running `npm install nossrf@latest` or `yarn upgrade nossrf` in your project. Ensure that the update has been performed successfully.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-2691 is a Server-Side Request Forgery vulnerability in the nossrf Node.js package, allowing attackers to bypass SSRF protection and potentially access internal resources.
You are affected if you are using a version of nossrf prior to 1.0.4 in your Node.js application. Check your package versions using npm list nossrf.
Upgrade the nossrf package to version 1.0.4 or later using npm install nossrf@latest. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
There are currently no confirmed reports of active exploitation, but the SSRF nature of the vulnerability makes it a potential target.
Refer to the official nossrf package repository or the npm advisory for the latest information and updates: [https://www.npmjs.com/package/nossrf](https://www.npmjs.com/package/nossrf)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.