CVE-2026-43929 Overview
CVE-2026-43929 is a Server-Side Request Forgery (SSRF) protection bypass in the ssrfcheck Node.js library versions 1.3.0 and earlier. The library's isSSRFSafeURL() function fails to block requests targeting private IP addresses when those addresses are encoded as IPv4-mapped IPv6 addresses, such as http://[::ffff:127.0.0.1]/. The WHATWG URL parser in Node.js normalizes the bracketed IPv4 notation to compressed hexadecimal form before the library's regex evaluates it. Because the regex only matches dot-notation, every IANA private IPv4 range is bypassed, including cloud metadata endpoints like 169.254.169.254.
Critical Impact
Applications relying on ssrfcheck to validate user-supplied URLs are fully exposed to SSRF attacks against internal services and cloud metadata endpoints (AWS, GCP, Azure).
Affected Products
- ssrfcheck npm library, versions 1.3.0 and earlier
- Node.js applications using isSSRFSafeURL() for URL validation
- Cloud-hosted services exposing user-driven HTTP fetch functionality protected by ssrfcheck
Discovery Timeline
- 2026-05-12 - CVE-2026-43929 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-43929
Vulnerability Analysis
The ssrfcheck library implements private IP filtering via regular expressions that match dotted-decimal IPv4 notation. When an attacker submits a URL containing an IPv4-mapped IPv6 address inside brackets, the Node.js WHATWG URL parser normalizes the host component. The dotted form ::ffff:127.0.0.1 becomes the compressed hexadecimal form ::ffff:7f00:1 before the library performs its private-range check.
The regex was never designed to inspect hex-formatted IPv6 octets. As a result, the check returns a safe verdict for any address routed through this notation. Attackers can target all seven IANA-reserved IPv4 ranges, including 10.0.0.0/8, 127.0.0.0/8, 192.168.0.0/16, and the link-local 169.254.0.0/16 block that hosts cloud instance metadata services.
This is categorized as Incorrect Behavior Order: Validate Before Canonicalize [CWE-184]. The vulnerability is a Server-Side Request Forgery (SSRF) protection bypass.
Root Cause
The root cause is a mismatch between the input format the regex expects and the canonicalized output produced by the URL parser. The library validates host strings after the parser has already transformed them, but its patterns assume the original dot-notation representation. The check never matches valid input and silently allows the request to proceed.
Attack Vector
An attacker supplies a URL such as http://[::ffff:169.254.169.254]/latest/meta-data/ to an application endpoint that forwards user-controlled URLs through isSSRFSafeURL(). The library returns true, the application issues the HTTP request, and the response, often containing IAM credentials or other internal data, is returned to the attacker. No authentication or user interaction is required.
// Example exploitation payloads (sanitized)
// Targeting AWS/GCP/Azure metadata service:
http://[::ffff:169.254.169.254]/latest/meta-data/iam/security-credentials/
// Targeting localhost services:
http://[::ffff:127.0.0.1]:8080/admin
// Targeting internal RFC1918 ranges:
http://[::ffff:10.0.0.1]/
http://[::ffff:192.168.1.1]/
Detection Methods for CVE-2026-43929
Indicators of Compromise
- Outbound HTTP requests from application servers to 169.254.169.254, 127.0.0.1, or RFC1918 ranges originating from URL-fetch handlers
- Application logs showing bracketed IPv6 hosts containing ::ffff: prefixes in user-supplied URL parameters
- Unexpected access to cloud instance metadata endpoints from workloads that do not normally query them
Detection Strategies
- Inspect web application logs and WAF telemetry for URL parameters containing [::ffff: or other IPv6 bracket notation
- Audit Node.js dependency manifests (package.json, package-lock.json) for ssrfcheck versions at or below 1.3.0
- Correlate user-driven URL submissions with outbound DNS or HTTP traffic to private address space
Monitoring Recommendations
- Alert on any process-level egress connections to 169.254.169.254 from production application workloads
- Monitor cloud audit logs (AWS CloudTrail, GCP Audit Logs, Azure Activity Logs) for unexpected metadata service access patterns
- Track HTTP client libraries within Node.js processes for requests resolving to private IP space
How to Mitigate CVE-2026-43929
Immediate Actions Required
- Upgrade ssrfcheck to a patched release above 1.3.0 once available, per the GitHub Security Advisory
- Apply IMDSv2 enforcement on AWS EC2 instances to require session tokens for metadata access
- Audit application code paths that pass user-controlled URLs to outbound HTTP clients
Patch Information
Refer to the GitHub Security Advisory GHSA-j4rj-2jr5-m439 for vendor remediation guidance. Until a fixed version is installed, treat isSSRFSafeURL() as ineffective against IPv6-encoded payloads.
Workarounds
- Resolve the hostname to an IP address yourself, then validate the resolved address against private ranges using a library that handles IPv6 and IPv4-mapped notation
- Block outbound traffic from application servers to 169.254.0.0/16, 127.0.0.0/8, and RFC1918 ranges at the network or security group layer
- Reject any URL whose host begins with [ (IPv6 literal) before passing it to ssrfcheck, unless your application explicitly requires IPv6 destinations
# Example egress restriction using iptables to block metadata access
iptables -A OUTPUT -d 169.254.169.254 -j REJECT
iptables -A OUTPUT -d 127.0.0.0/8 ! -o lo -j REJECT
iptables -A OUTPUT -d 10.0.0.0/8 -j REJECT
iptables -A OUTPUT -d 192.168.0.0/16 -j REJECT
# AWS IMDSv2 enforcement
aws ec2 modify-instance-metadata-options \
--instance-id i-xxxxxxxx \
--http-tokens required \
--http-endpoint enabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
