DSSRF Node.js Library IPv6 Bypass Vulnerability Allowing Server-Side Request Forgery

A vulnerability in the DSSRF Node.js library, prior to version 1.3.0, allows attackers to bypass certain security checks related to IPv6 addresses, leading to server-side request forgery (SSRF) vulnerabilities. The issue arises because the library's IPv6 handling is flawed, particularly in how it categorizes and validates different types of IPv6 addresses. Exploitation of this vulnerability can be demonstrated by using specific IPv6 addresses that are typically reserved for local or special use, which can then be leveraged to bypass the library's SSRF defenses.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where an attacker can make the server perform requests on their behalf, potentially accessing internal resources or services.

Reproduction

To reproduce this vulnerability, first install the DSSRF library version 1.0.2 or earlier. Then, create a script that uses the 'is_url_safe' function to test various IPv6 addresses. The library will incorrectly allow addresses that should be blocked, demonstrating the bypass.

Remediation

Users are advised to update the DSSRF library to version 1.3.0 or later, where this vulnerability has been fixed.