Post

is-localhost-ip 2.0.0 - SSRF Vulnerability Discovered

Posted
By ictsec.pl
1 min read
is-localhost-ip 2.0.0 - SSRF Vulnerability Discovered

is-localhost-ip 2.0.0 - SSRF Vulnerability 🚨

A proof-of-concept (PoC) demonstrating an SSRF / localhost canonicalization bypass has been developed for is-localhost-ip version 2.0.0. This PoC, reported on November 9, 2025, shows how a naive server that blocks “localhost” by name can be bypassed using alternate IP encodings (hex, decimal, octal, IPv6-mapped). The vulnerability is associated with CVE-2025-9960.

Key Features of the PoC:

  • The included index.js is a tested, minimal Express app that provides /check-url?url=<URL>, which checks is-localhost-ip(hostname) and fetches the URL if allowed.
  • It also provides /secret that returns a generated secret-style JSON object, used to prove leakage.

For instance, a normal GET /check-url?url=https://10.10.0.28:3005 might result in a 403 Forbidden with the response {"error":"localhost not allowed"}. However, an exploit payload such as GET /check-url?url=https://[::ffff:7f00:1]:3005 returns a 200 OK response, confirming access, and showing details like {"message":"Express server running", ... "endpoints":["GET /","GET /check-url?url=<URL>","GET /secret"],"port":3005}.

Important Warning ⚠️

This repository contains a proof-of-concept (PoC) demonstrating an SSRF / localhost canonicalization bypass. It is critical to run only on isolated, non-production machines (local VM, sandbox) and do NOT expose to the internet. Avoid running this on machines that have access to production networks, secret stores, or sensitive services. It is recommended to prefer running inside an isolated VM with no network access to your corporate network, or a disposable container with blocked egress to RFC1918 and loopback.

For additional safety, if there is a need to remove sensitive test endpoints entirely, one can edit PoC.js and remove or comment out the /secret route. The PoC itself incorporates several safer practices to mitigate such vulnerabilities, which include resolving hostnames to IP addresses server-side using DNS and checking all addresses against ipaddr.js ranges (rejects loopback/private/link-local/reserved). Furthermore, it recommends rejecting non-http(s) schemes, credentials in URL, and non-allowed ports, as well as avoiding following redirects when fetching upstream resources.

To read the complete article see: Read full article

SECURITY
SSRF VULNERABILITY EXPLOIT IS-LOCALHOST-IP
This post is licensed under CC BY 4.0 by the author.