CVE-2025-2691

CVE-2025-2691, published on 2025-03-23, affects versions of the JavaScript package nossrf prior to 1.0.4. This vulnerability is a Server-Side Request Forgery (SSRF) issue classified under CWE-918, where an attacker can bypass the package's SSRF protection mechanism by supplying a hostname that resolves to a local or reserved IP address space. The flaw carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating high severity due to its network accessibility, low attack complexity, and lack of prerequisites.

Unauthenticated attackers with network access can exploit this vulnerability without user interaction. By providing malicious hostnames to the affected nossrf package, they can circumvent SSRF mitigations, enabling requests to internal or reserved IP spaces. This achieves high confidentiality impact by potentially exposing sensitive internal resources and low integrity impact through limited manipulation capabilities.

The Snyk security advisory at https://security.snyk.io/vuln/SNYK-JS-NOSSRF-9510842 details the vulnerability and confirms that it is remediated in nossrf version 1.0.4. Practitioners should upgrade to this version or later in affected applications to prevent exploitation.