GSA_kwCzR0hTQS05aDNxLTMyYzctcjUzM84ABKcS

High CVSS: 7.8 EPSS: 0.0003% (0.0669 Percentile) EPSS:

Permalink JSON

private-ip vulnerable to Server-Side Request Forgery

Affected Packages	Affected Versions	Fixed Versions
npm:private-ip	<= 3.0.2	No known fixed version
35 Dependent packages 1,279 Dependent repositories 661,554 Downloads last month Affected Version Ranges All affected versions 0.1.0, 1.0.0, 1.0.1, 1.0.2, 1.0.5, 2.0.0, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 3.0.0, 3.0.1, 3.0.2

All versions of the package private-ip are vulnerable to Server-Side Request Forgery (SSRF) where an attacker can provide an IP or hostname that resolves to a multicast IP address (224.0.0.0/4) which is not included as part of the private IP ranges in the package's source code.

References:

Identifiers

GHSA-9h3q-32c7-r533

CVE-2025-8020

Risk

Severity

High

CVSS

CVSS Score: 7.8

CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

EPSS

EPSS Percentage: 0.0003

EPSS Percentile: 0.0669

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Date and time

Published

6 days ago

Updated

6 days ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories