CVE-2026-43929

Name of the Vulnerable Software and Affected Versions ssrfcheck versions 1.3.0 and earlier

Description ssrfcheck fails to block Server-Side Request Forgery (SSRF) attacks when a target private IP address is encoded as an IPv4-mapped IPv6 address (e.g., 'http://[::ffff:127.0.0.1]/'). This occurs because the WHATWG URL parser in Node.js normalizes IPv4 notation within brackets to a compressed hex form (e.g., '[::ffff:7f00:1]') before the library's validation occurs. The internal regex used for checking private IPs is designed only for dot-notation, causing it to fail to match the normalized input. Consequently, all seven IANA private IPv4 ranges, including the cloud metadata address '169.254.169.254', are bypassed. Applications using the isSSRFSafeURL() function to validate user-supplied URLs are fully exposed to SSRF, which could allow attackers to steal cloud metadata, pivot to internal networks, or access services bound to the loopback interface.

Recommendations For versions 1.3.0 and earlier, replace the regex-based denylist in the privIp6() function within the src/is-private-ip.js file with a solution that operates on parsed IP values, such as Node's net.BlockList, to ensure immunity to string representation differences.