Nu Html Checker Restriction Bypass Vulnerability Allowing Local Server-Side Request Forgery

A restriction bypass vulnerability has been identified in Nu Html Checker (validator.nu) that allows remote attackers to make the server perform arbitrary HTTP or HTTPS requests to internal resources, including services running on localhost. The validator attempts to block direct access to localhost and 127.0.0.1 through hostname-based protections. However, these controls can be circumvented using DNS rebinding techniques or by exploiting domains that resolve to loopback addresses, such as localtest.me. This vulnerability affects the latest version of Nu Html Checker, as of the latest commit on January 11, 2026.

Impact

Exploitation of this vulnerability allows for server-side request forgery (SSRF) attacks, where an attacker can access internal services that are normally protected from external access.

Reproduction

The vulnerability can be reproduced by sending a request to the Nu Html Checker service with the 'doc' parameter set to a URL that resolves to a localhost service. This can be done using a domain like localtest.me, which points to 127.0.0.1. Alternatively, the vulnerability can be exploited by uploading an XML document that includes an external entity reference to a localhost service, using the 'parser' parameter set to 'xmldtd'.