ssrfcheck has Incomplete IP Address Deny List that leads to Server-Side Request Forgery Vulnerability
High severity
GitHub Reviewed
Published
Jul 28, 2025
to the GitHub Advisory Database
•
Updated Jul 28, 2025
Description
Published by the National Vulnerability Database
Jul 28, 2025
Published to the GitHub Advisory Database
Jul 28, 2025
Reviewed
Jul 28, 2025
Last updated
Jul 28, 2025
Versions of the package ssrfcheck before 1.2.0 are vulnerable to Server-Side Request Forgery (SSRF) due to an incomplete denylist of IP address ranges. Specifically, the package fails to classify the reserved IP address space 224.0.0.0/4 (Multicast) as invalid. This oversight allows attackers to craft requests targeting these multicast addresses.
References