High severity8.2GHSA Advisory· Published Jul 23, 2025· Updated Apr 29, 2026

CVE-2025-8020

Description

All versions of the package private-ip are vulnerable to Server-Side Request Forgery (SSRF) where an attacker can provide an IP or hostname that resolves to a multicast IP address (224.0.0.0/4) which is not included as part of the private IP ranges in the package's source code.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
private-ipnpm	<= 3.0.2	—

Affected products

Frenchbread/Private IpGHSA
Range: <= 3.0.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-9h3q-32c7-r533ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-8020ghsaADVISORY
gist.github.com/lirantal/ed18a4493ca9fe4429957c79454a9df1nvdWEB
security.snyk.io/vuln/SNYK-JS-PRIVATEIP-9510757nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.533
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000