ssrfcheck v1.3.0 (latest) fails to block Server-Side Request Forgery attacks when the target private IP address is encoded as an IPv4-mapped IPv6 address (e.g. http://[::ffff:127.0.0.1]/). The WHATWG URL parser built into Node.js silently normalizes the IPv4 notation inside the brackets to compressed hex form ([::ffff:7f00:1]) before the library's private-IP regex ever runs. The regex was written to match dot-notation only and therefore never matches any real input — all seven IANA private IPv4 ranges, including the AWS/GCP/Azure metadata address 169.254.169.254, are bypassed. Any application using isSSRFSafeURL() to guard HTTP requests made with user-supplied URLs is fully exposed to SSRF.
Vulnerable file: src/is-private-ip.js
The library detects IPv6 private addresses using the privIp6() function. The relevant portion:
// src/is-private-ip.js (lines ~40-60 of the published source)
function privIp6 (ip) {
return /^::$/.test(ip) ||
/^::1$/.test(ip) ||
/^::f{4}:([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})$/.test(ip) ||
/^::f{4}:0.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})$/.test(ip) ||
/^64:ff9b::([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})$/.test(ip) ||
// ... more patterns, all expect dot-notation ...
}
The third line is the IPv4-mapped IPv6 check. It expects input in the form ::ffff:127.0.0.1 (dots). However, the IP is extracted from the URL using url.hostname, which goes through the WHATWG URL parser first.
How WHATWG URL normalizes the address (src/parse-url.js):
const url = new URL(normalizeURLStr(input)); // WHATWG URL parser runs here
const ipcheck = trimBrackets(url.hostname); // e.g. '::ffff:7f00:1' ← hex, no dots
const ipVersion = isIP(ipcheck); // returns 6
The WHATWG URL spec (§5.3 IPv6 serializer) converts all embedded IPv4 notation to two 16-bit hex groups during parsing:
127.0.0.1...
Exploitability
AV:NAC:LPR:NUI:NScope
S:UImpact
C:HI:LA:N8.2/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N