SSRF Bypass Demonstrated in is‑localhost‑ip 2.0.0 Library Exposes Localhost Access
What Happened – A public proof‑of‑concept (PoC) released on GitHub shows that the is-localhost-ip npm package (v2.0.0) can be tricked into treating specially‑encoded IP addresses (hex, octal, IPv6‑mapped, etc.) as non‑localhost, allowing a server that only blocks the literal string “localhost” to reach internal services via Server‑Side Request Forgery (SSRF).
Why It Matters for TPRM –
- Third‑party libraries are often bundled into SaaS and internal web applications; a vulnerable dependency can turn a benign service into an internal reconnaissance vector.
- SSRF can be leveraged to exfiltrate secrets, pivot to internal APIs, or compromise cloud metadata services, amplifying supply‑chain risk.
- The PoC is openly available, meaning threat actors can readily adapt the technique against any vulnerable deployment.
Who Is Affected – Organizations that develop or host Node.js web services and include the is-localhost-ip package, spanning technology SaaS, fintech, health‑tech, and any sector relying on open‑source npm dependencies.
Recommended Actions –
- Conduct an immediate inventory of all applications using
is‑localhost‑ip(or similar hostname‑validation libraries). - Upgrade to a patched version or replace the library with a robust validation routine that resolves IPs and blocks loopback ranges.
- Enforce network‑level egress controls (e.g., deny outbound traffic to RFC 1918 and loopback from untrusted containers).
- Add SSRF detection rules to WAF/IDS and perform regular dependency‑vulnerability scans.
Technical Notes – The PoC runs an Express server exposing /check-url?url= which fetches the supplied URL after a naive is‑localhost‑ip check. By supplying encoded representations such as 0x7f000001 or ::ffff:127.0.0.1, the check is bypassed and the server can request internal resources (e.g., http://localhost:8080/secret). No CVE has been assigned; the issue stems from improper hostname canonicalization. Source: Exploit‑DB #52496