VDB
KO
MEDIUM

GHSA-xw57-23p8-9wc5

@asymmetric-effort/specifyjs: Localhost bypass incomplete (IPv6, 0.0.0.0, 127.x range)

Details

## Finding

**Location**: `core/src/shared/secure-fetch.ts:52-54`

The localhost exception allowed `localhost` and `127.0.0.1` but did not cover `0.0.0.0`, `[::1]` (IPv6 localhost), or the full `127.0.0.0/8` loopback range.

## Status

**Fixed in v0.2.136** — Localhost detection now covers `localhost`, `127.0.0.1`, `[::1]`, `0.0.0.0`, and the full `127.x.x.x` range.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @asymmetric-effort/specifyjs
Introduced in: 0 Fixed in: 0.2.136
Fix npm install @asymmetric-effort/specifyjs@0.2.136

References