Nu Html Checker SSRF: When 'Localhost' Isn't the Only Way Home
Jan 18, 2026·6 min read·21 visits
Executive Summary (TL;DR)
The Nu Html Checker allows users to validate HTML via URL. It attempts to block internal access by banning hostnames like "localhost", but fails to validate the resolved IP address. Attackers can use DNS rebinding or domains resolving to loopback addresses to bypass this filter, tricking the server into connecting to its own internal services or local network infrastructure.
The Nu Html Checker (validator.nu), the engine powering W3C's HTML validation services, contains a Server-Side Request Forgery (SSRF) vulnerability. By relying on a flimsy hostname blocklist instead of robust IP validation, the application allows attackers to bypass protections via DNS rebinding and access internal network resources.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:NAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Nu Html Checker validator.nu | < 23f090a (Jan 16 2026) | Post-Jan 16 2026 builds |
| Attribute | Detail |
|---|---|
| Vulnerability Type | SSRF (Server-Side Request Forgery) |
| CWE ID | CWE-918 |
| CVSS v4.0 | 6.9 (Medium) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Exploit Status | No public PoC, but technique is standard |
| EPSS Score | 0.06% |
MITRE ATT&CK Mapping
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.