CVE-2025-2691

HIGH

nossrf < 1.0.4 - Server-Side Request Forgery via Hostname Bypass

Title source: llm

Description

Versions of the package nossrf before 1.0.4 are vulnerable to Server-Side Request Forgery (SSRF) where an attacker can provide a hostname that resolves to a local or reserved IP address space and bypass the SSRF protection mechanism.

References (1)

Core 1

Core References

Exploit, Third Party Advisory

https://security.snyk.io/vuln/SNYK-JS-NOSSRF-9510842

Scores

CVSS v3 8.2

EPSS 0.0003

EPSS Percentile 8.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-918

Status published

Products (2)

nossrf_project/nossrf < 1.0.4

npm/nossrf 0 - 1.0.4npm

Published Mar 23, 2025

Tracked Since Feb 18, 2026