CVE-2025-2691 HIGH

CVE-2025-2691

Vendor N/A

Product nossrf

Weakness CWE-918 · SSRF

Published March 23, 2025

Last update March 24, 2025

View on NVD All CVEs

CVSS base score

8.2/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:P

What the vulnerability does

01Description

Versions of the package nossrf before 1.0.4 are vulnerable to Server-Side Request Forgery (SSRF) where an attacker can provide a hostname that resolves to a local or reserved IP address space and bypass the SSRF protection mechanism.

Key dates

02Disclosure timeline

March 23, 2025 CVE published

March 24, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-2691 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/918.html

Related vulnerabilities

04Related CVE

CVE-2021-39339 Telefication <= 1.8.0 Open Proxy and Server-Side Request Forgery CVE-2023-48306 Nextcloud Server DNS pin middleware can be tricked into DNS rebinding allowing SSRF CVE-2026-7798 FluentCRM <= 2.9.87 - Unauthenticated Blind Server-Side Request Forgery via 'SubscribeURL' Parameter CVE-2025-62763 CVE-2023-40630 Extension - joomcode.com - Unauthenticated LFI/SSRF in JCDashboards component for Joomla 1.0.0-1.1.30