{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-8267","assignerOrgId":"bae035ff-b466-4ff4-94d0-fc9efd9e1730","state":"PUBLISHED","assignerShortName":"snyk","dateReserved":"2025-07-27T12:56:36.513Z","datePublished":"2025-07-28T05:00:00.992Z","dateUpdated":"2025-07-28T16:01:35.358Z"},"containers":{"cna":{"metrics":[{"cvssV3_1":{"version":"3.1","attackVector":"NETWORK","attackComplexity":"LOW","exploitCodeMaturity":"PROOF_OF_CONCEPT","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":8.2,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:P"},"cvssV4_0":{"version":"4.0","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","baseScore":8.8,"baseSeverity":"HIGH","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"}}],"credits":[{"value":"Liran Tal","lang":"en"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-918","description":"Server-Side Request Forgery (SSRF)","lang":"en"}]}],"providerMetadata":{"orgId":"bae035ff-b466-4ff4-94d0-fc9efd9e1730","shortName":"snyk","dateUpdated":"2025-07-28T05:00:00.992Z"},"descriptions":[{"value":"Versions of the package ssrfcheck before 1.2.0 are vulnerable to Server-Side Request Forgery (SSRF) due to an incomplete denylist of IP address ranges. Specifically, the package fails to classify the reserved IP address space 224.0.0.0/4 (Multicast) as invalid. This oversight allows attackers to craft requests targeting these multicast addresses.","lang":"en"}],"references":[{"url":"https://security.snyk.io/vuln/SNYK-JS-SSRFCHECK-9510756"},{"url":"https://gist.github.com/lirantal/2976840639df824cb3abe60d13c65e04"},{"url":"https://github.com/felippe-regazio/ssrfcheck/issues/5"},{"url":"https://github.com/felippe-regazio/ssrfcheck/commit/9507b49fd764f2a1a1d1e3b9ee577b7545e6950e"}],"affected":[{"product":"ssrfcheck","versions":[{"version":"0","lessThan":"1.2.0","status":"affected","versionType":"semver"}],"vendor":"n/a"}]},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-07-28T16:01:27.452463Z","id":"CVE-2025-8267","options":[{"Exploitation":"poc"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-07-28T16:01:35.358Z"}}]}}