nossrf Server-Side Request Forgery Vulnerability
Vulnerability
A Server-Side Request Forgery (SSRF) vulnerability exists in the nossrf package in versions prior to 1.0.4. This vulnerability allows an attacker to provide a hostname that resolves to a local or reserved IP address, bypassing the package's SSRF protection mechanisms.
Impact
Exploitation of this vulnerability could lead to unauthorized access to internal services or resources, allowing an attacker to interact with them as if they were a trusted user or system.
Reproduction
To reproduce this vulnerability, create an application that uses the nossrf package version prior to 1.0.4. Use the package's asynchronous URL validation function to check a hostname that resolves to a local IP address, such as localtest.me. The validation will incorrectly indicate that the URL is safe, demonstrating the bypass of the SSRF protection.
Remediation
Upgrade the nossrf package to version 1.0.4 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.