CVE-2025-15104

Exploit

EPSS 0.03%
Veröffentlicht 16.01.2026 14:15:54
Zuletzt bearbeitet 23.01.2026 16:57:18
Quelle help@fluidattacks.com
CVE-Watchlists
Login
Unerledigt
Login

Nu Html Checker (validator.nu) contains a restriction bypass that allows remote attackers to make the server perform arbitrary HTTP/HTTPS requests to internal resources, including localhost services. While the validator implements hostname-based protections to block direct access to localhost and 127.0.0.1, these controls can be bypassed using DNS rebinding techniques or domains that resolve to loopback addresses.This issue affects The Nu Html Checker (vnu): latest (commit 23f090a11bab8d0d4e698f1ffc197a4fe226a9cd).

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Validator ≫ Validator Version < 2026-01-11

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.065

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
help@fluidattacks.com	6.9	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://fluidattacks.com/advisories/europe

Third Party Advisory

Exploit

https://github.com/validator/validator

Product

https://nvd.nist.gov/vuln/detail/CVE-2025-15104

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-15104

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-15104

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-15104