Moderate severityNVD Advisory· Published Jan 16, 2026· Updated Jan 16, 2026
Nu Html Checker (validator.nu) - Restriction bypass vulnerability allowing local SSRF
CVE-2025-15104
Description
Nu Html Checker (validator.nu) contains a restriction bypass that allows remote attackers to make the server perform arbitrary HTTP/HTTPS requests to internal resources, including localhost services. While the validator implements hostname-based protections to block direct access to localhost and 127.0.0.1, these controls can be bypassed using DNS rebinding techniques or domains that resolve to loopback addresses.This issue affects The Nu Html Checker (vnu): latest (commit 23f090a11bab8d0d4e698f1ffc197a4fe226a9cd).
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nu.validator:validatorMaven | <= 26.1.11 | — |
vnu-jarnpm | <= 26.1.11 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- fluidattacks.com/advisories/europeghsathird-party-advisoryWEB
- github.com/advisories/GHSA-fccg-7w3p-w66fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-15104ghsaADVISORY
News mentions
0No linked articles in our index yet.