Nu Html Checker (vnu) contains a Server-Side Request Forgery (SSRF) vulnerability

Severity:: Medium

Description

Nu Html Checker (validator.nu) contains a restriction bypass that allows remote attackers to make the server perform arbitrary HTTP/HTTPS requests to internal resources, including localhost services. While the validator implements hostname-based protections to block direct access to localhost and 127.0.0.

Recommendation

No fix is available yet. Followings are affected versions:

<= 26.1.11

References

GHSA-fccg-7w3p-w66f
fluidattacks.com
CVE-2025-15104
CWE-918
CAPEC-310
OWASP 2021-A10
OWASP 2021-A6

Related Issues

HackMD MCP Server has Server-Side Request Forgery (SSRF) vulnerability - CVE-2025-59155
google-translate-api-browser Server-Side Request Forgery (SSRF) Vulnerability - CVE-2023-48711
Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format - CVE-2025-64430
Parse Server is vulnerable to Server-Side Request Forgery (SSRF) via Instagram OAuth Adapter - CVE-2025-68150

Tags:: npm; vnu-jar

Anything's wrong? Let us know Last updated on January 16, 2026