Nu Html Checker (vnu) contains a Server-Side Request Forgery (SSRF) vulnerability

Severity:: Medium

Description

Nu Html Checker (validator.nu) contains a restriction bypass that allows remote attackers to make the server perform arbitrary HTTP/HTTPS requests to internal resources, including localhost services. While the validator implements hostname-based protections to block direct access to localhost and 127.0.0.

Recommendation

No fix is available yet. Followings are affected versions:

<= 26.1.11

References

GHSA-fccg-7w3p-w66f
fluidattacks.com
CVE-2025-15104
CWE-918
CAPEC-310
OWASP 2021-A10
OWASP 2021-A6

Related Issues

Bootstrap Vulnerable to Cross-Site Scripting in its Popover and Tooltip Components - CVE-2025-1647
Matrix JavaScript SDK's key history sharing could share keys to malicious devices - CVE-2024-47080
Sending a GET or HEAD request with a body crashes SvelteKit (GHSA-g5m6-hxpp-fc49) - CVE-2024-23641
msgpackr's conversion of property names to strings can trigger infinite recursion - CVE-2023-52079

Tags:: npm; vnu-jar

Anything's wrong? Let us know Last updated on January 16, 2026