ssrfcheck Vulnerable to Server-Side Request Forgery (SSRF) and Incomplete List of Disallowed Inputs — CVE-2026-43929
GitHub · GitHub · CVE-2026-43929
ID
CVE-2026-43929
CVE-2026-43929
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
high
high
CVSS
8.2
8.2
EPSS
0.00039
0.00039
Summary
### Summary `ssrfcheck` v1.3.0 (latest) fails to block Server-Side Request Forgery attacks when the target private IP address is encoded as an IPv4-mapped IPv6 address (e.g. `http://[::ffff:127.0.0.1]/`). The WHATWG URL parser built into Node.js silently normalizes the IPv4 notation inside the brackets to compressed hex form (`[::ffff:7f00:1]`) before the library's private-IP regex ever runs. The regex was written…
Product
npm: ssrfcheck
What to do
General, cautious steps (verify details in the official source):
- Prioritize patching or mitigation immediately (treat as actively risky).
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.