CVE-2026-44232 Overview
CVE-2026-44232 is a Server-Side Request Forgery (SSRF) defense bypass in DSSRF, a Node.js library that provides utilities and SSRF protection checks. Versions prior to 1.3.0 fail to validate IPv6 addresses correctly. Every IPv6 address category bypasses the is_url_safe validation function. Attackers can submit IPv6-formatted URLs to evade the library's defenses and reach internal network resources. The maintainers fixed the issue in version 1.3.0. The vulnerability is tracked under [CWE-791] (Incomplete Filtering of Special Elements).
Critical Impact
Applications relying on DSSRF for SSRF protection can be tricked into issuing requests to internal IPv6 endpoints, exposing metadata services, internal APIs, and other restricted resources.
Affected Products
- DSSRF (dssrf-js) Node.js library, all versions prior to 1.3.0
- Node.js applications using DSSRF's is_url_safe for SSRF defense
- Downstream services that rely on DSSRF allowlist validation before making outbound HTTP requests
Discovery Timeline
- 2026-05-12 - CVE-2026-44232 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-44232
Vulnerability Analysis
DSSRF exposes the is_url_safe function to determine whether a user-supplied URL is safe to fetch. The function inspects the destination host and rejects requests targeting private, loopback, link-local, and other reserved address ranges. In versions before 1.3.0, the validation logic only enforces these checks against IPv4 addresses. IPv6 addresses pass through is_url_safe regardless of their category, including loopback (::1), unique local (fc00::/7), link-local (fe80::/10), and IPv4-mapped IPv6 addresses such as ::ffff:127.0.0.1.
An attacker who controls a URL passed to a DSSRF-protected fetcher can supply an IPv6 literal pointing to an internal resource. The library returns a safe verdict, and the application proceeds to issue the request. This grants the attacker reach into internal networks, cloud instance metadata services exposed over IPv6, and services bound to IPv6 loopback. The flaw compromises integrity by enabling unintended outbound requests under the application's identity.
Root Cause
The root cause is incomplete filtering of special elements [CWE-791]. The address category checks operate on IPv4 representations only. The IPv6 parsing path either returns a default-safe verdict or skips the reserved-range comparison entirely.
Attack Vector
Exploitation requires only network access to an application endpoint that forwards user-controlled URLs into is_url_safe. The attacker submits a URL with an IPv6 host literal such as http://[::1]:8080/admin or http://[::ffff:169.254.169.254]/latest/meta-data/. DSSRF validates the URL as safe, and the host application issues the request to the internal target. No authentication or user interaction is required.
No public exploit code is published. The mechanism is described in the GitHub Security Advisory.
Detection Methods for CVE-2026-44232
Indicators of Compromise
- Outbound HTTP requests from application servers to IPv6 loopback (::1), link-local (fe80::/10), or unique-local (fc00::/7) addresses
- Application logs showing user-supplied URLs containing bracketed IPv6 literals or ::ffff: IPv4-mapped notation
- Unexpected access attempts to cloud metadata endpoints reached over IPv6
Detection Strategies
- Inventory package.json and package-lock.json files across Node.js services for dssrf entries with versions below 1.3.0
- Inspect web application firewall and proxy logs for inbound requests carrying IPv6 URL parameters destined for fetcher endpoints
- Correlate outbound connection telemetry with the originating user request to identify SSRF chains
Monitoring Recommendations
- Alert on any application-initiated connection to IPv6 reserved ranges that should be unreachable from production workloads
- Track DNS resolutions returning AAAA records that map to internal address space
- Monitor cloud metadata service access patterns for unexpected callers
How to Mitigate CVE-2026-44232
Immediate Actions Required
- Upgrade DSSRF to version 1.3.0 or later across all Node.js services
- Audit all call sites of is_url_safe to confirm the upgrade is in effect at runtime
- Restrict outbound network access from application servers to required destinations only using egress firewall rules
Patch Information
The maintainers fixed the IPv6 bypass in DSSRF 1.3.0. Update the dependency in package.json to ^1.3.0 and reinstall. Review the GitHub Security Advisory GHSA-8p33-q827-ghj5 for release notes and remediation guidance.
Workarounds
- Reject any user-supplied URL containing a bracketed IPv6 literal before invoking is_url_safe until the patch is deployed
- Disable IPv6 on application egress interfaces where IPv6 connectivity is not required
- Enforce an allowlist of approved outbound destinations at the network layer instead of relying solely on application-level validation
# Configuration example
npm install dssrf@^1.3.0
npm ls dssrf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
