php · symfony/http-clientHeads-up
symfony/http-client: NoPrivateNetworkHttpClient now blocks IPv6 transition prefixes
The private-subnet list in NoPrivateNetworkHttpClient now includes IPv6 transition prefixes (::/96, 2002::/16, 2001::/32, 64:ff9b::/96, 64:ff9b:1::/48) to block
What changed
The private-subnet list in NoPrivateNetworkHttpClient now includes IPv6 transition prefixes (::/96, 2002::/16, 2001::/32, 64:ff9b::/96, 64:ff9b:1::/48) to block requests to private IPv4 addresses embedded in IPv6 addresses.
Who it affects
Users of Symfony HttpClient who rely on NoPrivateNetworkHttpClient to block requests to private networks.
What to do today
Update symfony/http-client to the latest patched version (5.4.x, 6.4.x, 7.4.x, 8.0.x, or 8.1.x) to ensure private network protection covers IPv6 transition mechanisms.
The trail
Collected→
Audited→
Written→
Published