ssrfcheck Library Server-Side Request Forgery Protection Bypass Vulnerability

A vulnerability in the ssrfcheck library, specifically in versions through 1.3.0, allows Server-Side Request Forgery (SSRF) attacks to bypass the library's protections. This occurs when private IP addresses are encoded as IPv4-mapped IPv6 addresses, a format that the library's regex is unable to match. As a result, applications using the isSSRFSafeURL() function to validate user-supplied URLs before making HTTP requests are left exposed to SSRF attacks, including potential theft of cloud metadata or access to internal services not exposed to the internet.

Impact

Exploitation of this vulnerability completely bypasses the intended SSRF protections, leaving applications vulnerable to unauthorized access of internal services or cloud metadata.

Reproduction

The vulnerability can be reproduced by installing the ssrfcheck library version 1.3.0 or earlier in a Node.js environment. Afterward, the isSSRFSafeURL() function can be called with a URL that includes an IPv4-mapped IPv6 address targeting a private IP range or localhost. The function will incorrectly return that the URL is safe, demonstrating the bypass.

Remediation

Users are advised to update to a version of ssrfcheck that includes the fix for this vulnerability. As of now, no patched version is available.