js · @sync-in/serverCritical
@sync-in/server: SSRF bypass via IPv4-mapped IPv6 addresses in URL download
The private IP blocklist regex in the URL download feature does not match IPv4-mapped IPv6 addresses (e.
What changed
The private IP blocklist regex in the URL download feature does not match IPv4-mapped IPv6 addresses (e.g. ::ffff:127.0.0.1), allowing SSRF protection bypass on dual-stack systems.
Who it affects
Any user with access to the file download feature can exploit this to fetch internal resources.
What to do today
Update the regExpPrivateIP regex in backend/src/applications/files/utils/url-file.ts to include IPv4-mapped IPv6 variants (::ffff:<ipv4>).
The trail
Collected→
Audited→
Written→
Published