Platform
nodejs
Component
private-ip
Fixed in
3.0.3
CVE-2025-8020 identifies a Server-Side Request Forgery (SSRF) vulnerability within the private-ip Node.js package. This flaw allows attackers to manipulate the package into making requests to unintended destinations, potentially exposing internal resources or facilitating network reconnaissance. Versions of private-ip prior to version * are affected, and a fix is available in the latest release.
The SSRF vulnerability in private-ip allows an attacker to craft requests that the package will execute on the server. Because the package doesn't properly validate IP addresses, it's possible to provide a hostname or IP address that resolves to a multicast IP address (224.0.0.0/4). While multicast addresses themselves aren't directly exploitable for data exfiltration, they can be used to probe the internal network and identify services listening on those addresses. This reconnaissance can then be used to identify other vulnerabilities or misconfigurations. The blast radius extends to any internal network segment accessible from the server running the vulnerable private-ip package.
CVE-2025-8020 was publicly disclosed on 2025-07-23. The EPSS score is currently pending evaluation. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature makes it likely that a PoC will emerge. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-8020 is to upgrade to the latest version of the private-ip package, which contains a fix for the SSRF vulnerability. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing input validation on the server-side to restrict the IP addresses that the private-ip package can process. Additionally, a Web Application Firewall (WAF) could be configured to block requests containing suspicious IP addresses or hostnames. After upgrading, confirm the fix by attempting to send a request with a multicast IP address and verifying that it is rejected.
Update the private-ip package to the latest version available. This will fix the SSRF vulnerability by including multicast addresses in the list of private IP ranges. Run `npm install private-ip@latest` or `yarn upgrade private-ip@latest` to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-8020 is a Server-Side Request Forgery (SSRF) vulnerability affecting versions of the private-ip Node.js package up to 3.0.2, allowing attackers to potentially access internal resources.
You are affected if you are using the private-ip Node.js package version 3.0.2 or earlier. Check your project dependencies to determine if you are using a vulnerable version.
Upgrade to the latest version of the private-ip package. If immediate upgrade is not possible, implement server-side input validation to restrict IP address processing.
While no active exploitation has been confirmed, the vulnerability's nature makes it likely that exploitation attempts may occur. Monitor your systems for suspicious activity.
Refer to the package's repository or the maintainer's communication channels for the official advisory regarding CVE-2025-8020.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.