Plataforma
nodejs
Componente
nossrf
Corregido en
1.0.4
1.0.4
CVE-2025-2691 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the nossrf Node.js package. This flaw allows attackers to bypass the intended SSRF protection mechanism by manipulating hostname resolution, potentially leading to unauthorized access to internal resources. The vulnerability impacts versions of nossrf released before 1.0.4 and can be resolved by upgrading to the latest version.
The SSRF vulnerability in nossrf allows an attacker to craft requests that appear to originate from the server itself, bypassing security controls designed to prevent access to internal services. By providing a hostname that resolves to a local or reserved IP address, an attacker can circumvent the SSRF protection and potentially access sensitive data or internal systems. This could include accessing databases, configuration files, or other internal APIs. The impact is amplified if the server is exposed to the internet or if the attacker can leverage the vulnerability to pivot to other internal systems, leading to a broader compromise.
CVE-2025-2691 was publicly disclosed on March 23, 2025. The vulnerability's exploitation probability is considered medium due to the relatively simple nature of SSRF exploitation and the widespread use of Node.js in various applications. There are currently no known public proof-of-concept exploits, but the SSRF nature of the vulnerability makes it likely that one will emerge. It is not currently listed on the CISA KEV catalog.
Applications utilizing the nossrf Node.js package, particularly those deployed in environments with internal services accessible via HTTP or HTTPS, are at risk. Shared hosting environments where users have the ability to install and manage their own Node.js packages are also particularly vulnerable.
• nodejs / server:
npm list nossrfIf the output shows a version less than 1.0.4, the system is vulnerable. • nodejs / server:
npm audit nossrfThis command will identify the vulnerability and suggest an upgrade. • generic web: Review application logs for unusual outbound requests to local or reserved IP addresses. Look for patterns that suggest an attacker is attempting to bypass SSRF protection.
disclosure
Estado del Exploit
EPSS
0.14% (34% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2025-2691 is to immediately upgrade the nossrf package to version 1.0.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter requests based on hostname resolution. Specifically, block requests where the hostname resolves to local or reserved IP address ranges. Additionally, review and restrict the allowed hostnames within your application's code to minimize the attack surface. After upgrading, confirm the fix by attempting to trigger an SSRF request with a local IP address; the request should be blocked.
Actualice la versión del paquete nossrf a la versión 1.0.4 o superior. Esto se puede hacer ejecutando `npm install nossrf@latest` o `yarn upgrade nossrf` en su proyecto. Asegúrese de verificar que la actualización se haya realizado correctamente.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-2691 is a Server-Side Request Forgery vulnerability in the nossrf Node.js package, allowing attackers to bypass SSRF protection and potentially access internal resources.
You are affected if you are using a version of nossrf prior to 1.0.4 in your Node.js application. Check your package versions using npm list nossrf.
Upgrade the nossrf package to version 1.0.4 or later using npm install nossrf@latest. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
There are currently no confirmed reports of active exploitation, but the SSRF nature of the vulnerability makes it a potential target.
Refer to the official nossrf package repository or the npm advisory for the latest information and updates: [https://www.npmjs.com/package/nossrf](https://www.npmjs.com/package/nossrf)
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.