{"id":12588026,"name":"dssrf","ecosystem":"npm","description":"SSRF defense library for Node.js with safe URL validation utilities.","homepage":"https://github.com/HackingRepo/dssrf-js#readme","licenses":"MIT","normalized_licenses":["MIT"],"repository_url":"https://github.com/HackingRepo/dssrf-js","keywords_array":["ssrf","safe-http","secure-url","nodejs","web-security"],"namespace":null,"versions_count":4,"first_release_published_at":"2025-12-12T14:38:18.645Z","latest_release_published_at":"2026-04-27T20:56:05.792Z","latest_release_number":"1.0.3","last_synced_at":"2026-05-23T01:13:22.497Z","created_at":"2025-12-15T00:07:46.391Z","updated_at":"2026-05-23T03:13:28.224Z","registry_url":"https://www.npmjs.com/package/dssrf","install_command":"npm install dssrf","documentation_url":null,"metadata":{"funding":null,"dist-tags":{"latest":"1.0.3"}},"repo_metadata":{"id":328345814,"uuid":"1115214653","full_name":"HackingRepo/dssrf-js","owner":"HackingRepo","description":"DSSRF is a Node.js  library that provides a wide range of utilities and advanced SSRF defense checks, helping make your website resistant to SSRF attacks when implemented correctly.","archived":false,"fork":false,"pushed_at":"2026-05-16T20:54:13.000Z","size":373,"stargazers_count":6,"open_issues_count":9,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-05-16T22:40:45.137Z","etag":null,"topics":["javascript-security","nodejs-security","owasp","safety-useful","security","security-tools","ssrf-detection-","ssrf-prevention","web-security"],"latest_commit_sha":null,"homepage":"https://www.npmjs.com/package/dssrf","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/HackingRepo.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"patreon":"RelunSec","open_collective":"relunsec","ko_fi":"relunsec"}},"created_at":"2025-12-12T14:07:48.000Z","updated_at":"2026-05-16T20:51:55.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/HackingRepo/dssrf-js","commit_stats":null,"previous_names":["hackingrepo/dssrf-js"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/HackingRepo/dssrf-js","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HackingRepo%2Fdssrf-js","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HackingRepo%2Fdssrf-js/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HackingRepo%2Fdssrf-js/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HackingRepo%2Fdssrf-js/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/HackingRepo","download_url":"https://codeload.github.com/HackingRepo/dssrf-js/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HackingRepo%2Fdssrf-js/sbom","scorecard":{"id":1243642,"data":{"date":"2026-02-19T19:47:26Z","repo":{"name":"github.com/HackingRepo/dssrf-js","commit":"723b243815d76aed1c4c0c3a9a5b112b4f6322a5"},"scorecard":{"version":"v5.1.1","commit":"cd152cb6742c5b8f2f3d2b5193b41d9c50905198"},"score":6.6,"checks":[{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#dependency-update-tool"}},{"name":"Maintained","score":0,"reason":"project was created in last 90 days. please review its contents carefully","details":["Warn: Repository was created in last 90 days."],"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#maintained"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#binary-artifacts"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#security-policy"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#packaging"}},{"name":"Code-Review","score":0,"reason":"Found 0/23 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#code-review"}},{"name":"Pinned-Dependencies","score":10,"reason":"all dependencies are pinned","details":["Info:  18 out of  18 GitHub-owned GitHubAction dependencies pinned","Info:   5 out of   5 third-party GitHubAction dependencies pinned","Info:   3 out of   3 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#pinned-dependencies"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":10,"reason":"GitHub workflow tokens follow principle of least privilege","details":["Info: jobLevel 'packages' permission set to 'read': .github/workflows/codeql.yml:22","Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql.yml:23","Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:24","Info: jobLevel 'actions' permission set to 'read': .github/workflows/devskim.yml:20","Info: jobLevel 'contents' permission set to 'read': .github/workflows/devskim.yml:21","Info: jobLevel 'contents' permission set to 'read': .github/workflows/labeler.yml:11","Info: jobLevel 'actions' permission set to 'read': .github/workflows/njsscan.yml:23","Info: jobLevel 'contents' permission set to 'read': .github/workflows/njsscan.yml:21","Info: jobLevel 'contents' permission set to 'read': .github/workflows/scorecard.yml:19","Info: jobLevel 'actions' permission set to 'read': .github/workflows/scorecard.yml:20","Info: jobLevel 'contents' permission set to 'read': .github/workflows/snyk-infrastructure.yml:17","Info: jobLevel 'actions' permission set to 'read': .github/workflows/snyk-infrastructure.yml:19","Info: topLevel permissions set to 'read-all': .github/workflows/codeql.yml:12","Info: topLevel 'contents' permission set to 'read': .github/workflows/codspeed.yml:11","Info: topLevel permissions set to 'read-all': .github/workflows/devskim.yml:13","Info: found token with 'none' permissions: .github/workflows/labeler.yml:6","Info: topLevel 'contents' permission set to 'read': .github/workflows/njsscan.yml:16","Info: topLevel 'contents' permission set to 'read': .github/workflows/node.js.yml:13","Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yml:9","Info: topLevel permissions set to 'read-all': .github/workflows/snyk-infrastructure.yml:11","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#token-permissions"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#license"}},{"name":"CII-Best-Practices","score":2,"reason":"badge detected: InProgress","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#cii-best-practices"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":10,"reason":"SAST tool detected","details":["Info: SAST configuration detected: CodeQL","Info: SAST configuration detected: Snyk","Info: all commits (19) are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#sast"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#signed-releases"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#fuzzing"}},{"name":"Branch-Protection","score":1,"reason":"branch protection is not maximal on development and all release branches","details":["Info: 'allow deletion' disabled on branch 'main'","Warn: 'force pushes' enabled on branch 'main'","Warn: 'branch protection settings apply to administrators' is disabled on branch 'main'","Warn: 'stale review dismissal' is disabled on branch 'main'","Warn: required approving review count is 1 on branch 'main'","Warn: codeowners review is not required on branch 'main'","Warn: 'last push approval' is disabled on branch 'main'","Info: 'up-to-date branches' is required to merge on branch 'main'","Info: status check found to merge onto on branch 'main'","Info: PRs are required in order to make changes on branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#branch-protection"}},{"name":"Contributors","score":0,"reason":"project has 0 contributing companies or organizations -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#contributors"}},{"name":"CI-Tests","score":10,"reason":"15 out of 15 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#ci-tests"}}]},"last_synced_at":"2026-02-19T22:33:27.024Z","repository_id":328345814,"created_at":"2026-02-19T22:33:27.024Z","updated_at":"2026-02-19T22:33:27.024Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33197530,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-18T09:27:30.708Z","status":"ssl_error","status_checked_at":"2026-05-18T09:27:28.300Z","response_time":71,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"},"owner_record":{"login":"HackingRepo","name":"Anonymous ethc4","uuid":"173050347","kind":"user","description":"","email":"","website":null,"location":null,"twitter":null,"company":null,"icon_url":"https://avatars.githubusercontent.com/u/173050347?v=4","repositories_count":1,"last_synced_at":"2025-03-21T14:58:45.648Z","metadata":{"has_sponsors_listing":false},"html_url":"https://github.com/HackingRepo","funding_links":[],"total_stars":0,"followers":0,"following":2,"created_at":"2024-06-18T06:59:32.442Z","updated_at":"2025-03-21T14:58:45.648Z","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/HackingRepo","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/HackingRepo/repositories"},"tags":[]},"repo_metadata_updated_at":"2026-05-23T01:13:22.921Z","dependent_packages_count":0,"downloads":36769,"downloads_period":"last-month","dependent_repos_count":0,"rankings":{"downloads":13.69983697140415,"dependent_repos_count":23.258921123031744,"dependent_packages_count":33.545733332978614,"stargazers_count":null,"forks_count":null,"docker_downloads_count":null,"average":23.501497142471504},"purl":"pkg:npm/dssrf","advisories":[{"uuid":"GSA_kwCzR0hTQS04cDMzLXE4MjctZ2hqNc4ABWSv","url":"https://github.com/advisories/GHSA-8p33-q827-ghj5","title":"dssrf: every IPv6 category bypasses is_url_safe","description":"A vulnerability in dssrf allows an attacker to bypass its SSRF protections by supplying one of the following IPv6 addresses, resulting in a successful SSRF. This contradicts dssrf documentation, which incorrectly claims that IPv6 is disabled entirely. See below:\n\n```rust\nInput\tCategory\nhttp://[::1]/\tIPv6 loopback\nhttp://[fc00::1]/\tIPv6 ULA\nhttp://[fe80::1]/\tIPv6 link-local\nhttp://[::ffff:127.0.0.1]/\tIPv4-mapped loopback\nhttp://[::ffff:169.254.169.254]/\tIPv4-mapped IMDS\nhttp://[::ffff:100.64.0.1]/\tIPv4-mapped CGNAT\nhttp://[64:ff9b::7f00:1]/\tNAT64 well-known prefix\nhttp://[64:ff9b:1::1]/\tNAT64 local-use (RFC 8215)\nhttp://[5f00::1]/\tSRv6 SID (RFC 9602)\nhttp://[3fff::1]/\tIPv6 documentation (RFC 9637)\nhttp://[fec0::1]/\tIPv6 site-local (deprecated, RFC 3879)\nhttp://[::127.0.0.1]/\tIPv4-compatible IPv6\n```\n\n### POC\n\n```bash\nmkdir dssrf-poc \u0026\u0026 cd dssrf-poc\nnpm init -y \u003e/dev/null\nnpm install dssrf@^1.0.2\ncat \u003e audit.js \u003c\u003c'EOF'\nconst dssrf = require('dssrf');\nconst cases = [\n  ['http://[::1]/',                         'IPv6 loopback'],\n  ['http://[fc00::1]/',                     'IPv6 ULA'],\n  ['http://[fe80::1]/',                     'IPv6 link-local'],\n  ['http://[::ffff:127.0.0.1]/',            'IPv4-mapped loopback'],\n  ['http://[::ffff:169.254.169.254]/',      'IPv4-mapped IMDS'],\n  ['http://[64:ff9b::7f00:1]/',             'NAT64 well-known + 127.0.0.1'],\n  ['http://[64:ff9b:1::1]/',                'NAT64 local-use (RFC 8215)'],\n  ['http://[5f00::1]/',                     'SRv6 SID (RFC 9602)'],\n  ['http://[fec0::1]/',                     'IPv6 site-local deprecated'],\n  ['http://127.0.0.1/',                     'IPv4 loopback (control)'],\n  ['http://10.0.0.1/',                      'IPv4 RFC1918 (control)'],\n  ['http://8.8.8.8/',                       'PUBLIC IPv4 (control)'],\n];\n(async () =\u003e {\n  for (const [url, label] of cases) {\n    const safe = await dssrf.is_url_safe(url);\n    console.log(`${safe ? '✓ALLOW' : '·block'}  ${url.padEnd(40)}  ${label}`);\n  }\n})();\nEOF\nnode audit.js\n```\n\n### Credit\ndssrf thanks \u003cbrmenna@gmail.com\u003e for reporting this issue responsibly.\n\n### Update\nUsers should immediately update to dssrf 1.3.0.\n\n### Lessons Learned\nAs seen both in the past and today, many advisories and CVE bypasses leverage IPv6. IPv6 remains the weakest link, as it is rarely configured correctly and seldom tested. In this case, while IPv4 was properly blocked, the corresponding IPv6 blocking logic was completely broken and never actually worked.,","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2026-05-06T18:13:32.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":8.7,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N","references":["https://github.com/HackingRepo/dssrf-js/security/advisories/GHSA-8p33-q827-ghj5","https://github.com/advisories/GHSA-8p33-q827-ghj5"],"source_kind":"github","identifiers":["GHSA-8p33-q827-ghj5","CVE-2026-44232"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-05-06T19:00:08.535Z","updated_at":"2026-05-23T03:00:38.853Z","epss_percentage":0.00018,"epss_percentile":0.04939,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04cDMzLXE4MjctZ2hqNc4ABWSv","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS04cDMzLXE4MjctZ2hqNc4ABWSv","packages":[{"ecosystem":"npm","package_name":"dssrf","versions":[{"first_patched_version":"1.3.0","vulnerable_version_range":"\u003c 1.3.0"}],"purl":"pkg:npm/dssrf"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04cDMzLXE4MjctZ2hqNc4ABWSv/related_packages","related_advisories":[]}],"docker_usage_url":"https://docker.ecosyste.ms/usage/npm/dssrf","docker_dependents_count":null,"docker_downloads_count":null,"usage_url":"https://repos.ecosyste.ms/usage/npm/dssrf","dependent_repositories_url":"https://repos.ecosyste.ms/api/v1/usage/npm/dssrf/dependencies","status":null,"funding_links":["https://patreon.com/RelunSec","https://opencollective.com/relunsec","https://ko-fi.com/relunsec"],"critical":null,"issue_metadata":{"last_synced_at":"2026-04-28T00:17:39.246Z","issues_count":0,"pull_requests_count":0,"avg_time_to_close_issue":null,"avg_time_to_close_pull_request":null,"issues_closed_count":0,"pull_requests_closed_count":0,"pull_request_authors_count":0,"issue_authors_count":0,"avg_comments_per_issue":null,"avg_comments_per_pull_request":null,"merged_pull_requests_count":0,"bot_issues_count":0,"bot_pull_requests_count":0,"past_year_issues_count":0,"past_year_pull_requests_count":0,"past_year_avg_time_to_close_issue":null,"past_year_avg_time_to_close_pull_request":null,"past_year_issues_closed_count":0,"past_year_pull_requests_closed_count":0,"past_year_pull_request_authors_count":0,"past_year_issue_authors_count":0,"past_year_avg_comments_per_issue":null,"past_year_avg_comments_per_pull_request":null,"past_year_bot_issues_count":0,"past_year_bot_pull_requests_count":0,"past_year_merged_pull_requests_count":0,"issues_url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/repositories/HackingRepo%2Fdssrf-js/issues","maintainers":[],"active_maintainers":[]},"versions_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/dssrf/versions","version_numbers_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/dssrf/version_numbers","latest_version_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/dssrf/latest_version","dependent_packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/dssrf/dependent_packages","related_packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/dssrf/related_packages","codemeta_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/dssrf/codemeta","maintainers":[{"uuid":"relunsec","login":"relunsec","name":null,"email":"cs7778503@gmail.com","url":null,"packages_count":36,"html_url":"https://www.npmjs.com/~relunsec","role":null,"created_at":"2025-12-15T00:29:28.908Z","updated_at":"2025-12-15T00:29:28.908Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/maintainers/relunsec/packages"}]}