CVE-2026-44232 HackingRepo CVE debrief

Who should care

Security teams and developers using dssrf-js in applications that rely on is_url_safe to block unsafe destinations, especially where user-controlled URLs may include IPv6 addresses.

Technical summary

The advisory states that prior to version 1.3.0, every IPv6 category bypasses is_url_safe, weakening SSRF protection. This means applications using the library for URL safety checks may accept inputs they intended to reject when the target address is IPv6-related. The advisory maps the issue to CWE-791.

Defensive priority

High. If your application uses dssrf-js for SSRF filtering, upgrading to a fixed release should be treated as a priority remediation item because the flaw affects the core safety decision path.

Recommended defensive actions

• Upgrade dssrf-js to version 1.3.0 or later.
• Audit dependency manifests and lockfiles to find any transitive or pinned uses of affected versions.
• Review any code paths that depend on is_url_safe for SSRF prevention, with attention to IPv6 handling.
• Add or update tests that verify unsafe IPv6 targets are rejected by your SSRF controls.
• If immediate upgrade is not possible, apply compensating controls at a higher layer and treat URL input as untrusted until remediation is complete.

Evidence notes

The description is supported by the public advisory referenced from NVD: dssrf-js prior to 1.3.0 has an IPv6 category bypass in is_url_safe, and the fix is in 1.3.0. NVD identifies the record as Deferred and includes CWE-791 in the advisory metadata. The CVSS score provided with the CVE is 8.7 (High).

Official resources