GHSA-xgch-x3mx-cm3c
safeurl is Missing IPv6 CIDR Ranges in Blocklist
Details
The `privateNetworks` blocklist was found to be missing newly added CIDR ranges. More specifically, the following CIDR ranges were not being blocked: - `64:ff9b:1::/48`: NAT64 local-use prefix (RFC 8215) - `5f00::/16`: Segment Routing (SRv6) SIDs (RFC 9602) - `3fff::/20`: documentation prefix (RFC 9637) - `100:0:0:1::/64`: Dummy IPv6 Prefix (RFC 9780)
### Impact If exploited, an attacker would potentially be able to reach resources hosted on the IPs residing in the missing ranges.
### Workarounds Disable IPv6 by setting `EnableIPv6(false)`. This is the default behavior of the library.
### Resolution Upgrade to v0.2.4
### Credits safeurl thanks @tonghuaroot for reporting.
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 0.2.4 go get github.com/doyensec/safeurl@v0.2.4