Skip to main content

Mondoo

Vulnerability Management
Technology
Services

Solutions

Financial Services
Manufacturing
Healthcare

Resources

Blog
Vulnerability Database
Documentation
GitHub

Company

About
Careers
Partners
Contact

Legal

Privacy
Terms
Imprint

© 2026 Mondoo, Inc.

Log in Get Assessment

Vulnerability IntelligenceCVE-2025-8267

CVE-2025-8267

HIGH8.8

Versions of the package ssrfcheck before 1

Published Jul 28, 2025

Modified 10 months ago

Details

Versions of the package ssrfcheck before 1.2.0 are vulnerable to Server-Side Request Forgery (SSRF) due to an incomplete denylist of IP address ranges. Specifically, the package fails to classify the reserved IP address space 224.0.0.0/4 (Multicast) as invalid. This oversight allows attackers to craft requests targeting these multicast addresses.

References

https://gist.github.com/lirantal/2976840639df824cb3abe60d13c65e04

https://github.com/felippe-regazio/ssrfcheck/commit/9507b49fd764f2a1a1d1e3b9ee577b7545e6950e

https://github.com/felippe-regazio/ssrfcheck/issues/5

https://security.snyk.io/vuln/SNYK-JS-SSRFCHECK-9510756

https://www.cve.org/CVERecord?id=CVE-2025-8267

CVSS Analysis

CVSS v4.0

8.8

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Attack Requirements

NoneAT:N

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Vulnerable System

Vuln. Confidentiality

HighVC:H

Vuln. Integrity

LowVI:L

Vuln. Availability

NoneVA:N

Subsequent System

Subseq. Confidentiality

NoneSC:N

Subseq. Integrity

NoneSI:N

Subseq. Availability

NoneSA:N

8.8/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

Weakness Type (CWE)

Input Validation

Server-Side Request Forgery (SSRF)

Ecosystems

Timeline

PublishedJul 28, 2025

ModifiedJul 28, 2025

CVE-2025-8267 | Mondoo Vulnerability Intelligence