CVE-2025-8020

HIGH

private-ip - Server-Side Request Forgery via Multicast IP Address

Title source: llm

Description

All versions of the package private-ip are vulnerable to Server-Side Request Forgery (SSRF) where an attacker can provide an IP or hostname that resolves to a multicast IP address (224.0.0.0/4) which is not included as part of the private IP ranges in the package's source code.

References (2)

Core 2

Core References

Various Sources

https://gist.github.com/lirantal/ed18a4493ca9fe4429957c79454a9df1

Third Party Advisory

https://security.snyk.io/vuln/SNYK-JS-PRIVATEIP-9510757

Scores

CVSS v3 8.2

EPSS 0.0009

EPSS Percentile 25.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-918

Status published

Products (2)

n/a/private-ip

npm/private-ip 0npm

Published Jul 23, 2025

Tracked Since Feb 18, 2026