Miggo Logo
Miggo Vulnerability Database
CVE-2025-8020

CVE-2025-8020: private-ip vulnerable to Server-Side Request Forgery

8.2

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-8020
GHSA ID
GHSA-9h3q-32c7-r533
EPSS Score
0.0669%
CWE
CWE-918
Published
7/23/2025
Updated
7/23/2025
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
private-ipnpm<= 3.0.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability exists because the private-ip package does not correctly identify multicast IP addresses as being part of a reserved range. The analysis of the source code in src/index.ts confirms the findings from the security advisories. The PRIVATE_IP_RANGES array, which is fundamental to the package's logic, is missing the 224.0.0.0/4 multicast block. The ipv4_check function directly uses this incomplete list to validate IPv4 addresses. The main default exported function serves as the entry point and directs IPv4 input to the flawed ipv4_check function. Consequently, any application using this package for SSRF protection can be bypassed by an attacker using a multicast IP address. The vulnerable functions are the default exported function, which is the main entry point, and the ipv4_check function, which contains the flawed logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ll v*rsions o* t** p**k*** priv*t*-ip *r* vuln*r**l* to S*rv*r-Si** R*qu*st *or**ry (SSR*) w**r* *n *tt**k*r **n provi** *n IP or *ostn*m* t**t r*solv*s to * multi**st IP ***r*ss (***.*.*.*/*) w*i** is not in*lu*** *s p*rt o* t** priv*t* IP r*n**s i

Reasoning

T** vuln*r**ility *xists ****us* t** `priv*t*-ip` p**k*** *o*s not *orr**tly i**nti*y multi**st IP ***r*ss*s *s **in* p*rt o* * r*s*rv** r*n**. T** *n*lysis o* t** sour** *o** in `sr*/in**x.ts` *on*irms t** *in*in*s *rom t** s**urity **visori*s. T**