VDB
KO
MEDIUM

GHSA-xgch-x3mx-cm3c

safeurl is Missing IPv6 CIDR Ranges in Blocklist

Details

The `privateNetworks` blocklist was found to be missing newly added CIDR ranges. More specifically, the following CIDR ranges were not being blocked: - `64:ff9b:1::/48`: NAT64 local-use prefix (RFC 8215) - `5f00::/16`: Segment Routing (SRv6) SIDs (RFC 9602) - `3fff::/20`: documentation prefix (RFC 9637) - `100:0:0:1::/64`: Dummy IPv6 Prefix (RFC 9780)

### Impact If exploited, an attacker would potentially be able to reach resources hosted on the IPs residing in the missing ranges.

### Workarounds Disable IPv6 by setting `EnableIPv6(false)`. This is the default behavior of the library.

### Resolution Upgrade to v0.2.4

### Credits safeurl thanks @tonghuaroot for reporting.

Are you affected?

Enter the version of the package you're using.

Affected packages

Go / github.com/doyensec/safeurl
Introduced in: 0 Fixed in: 0.2.4
Fix go get github.com/doyensec/safeurl@v0.2.4

References