SSRF Vulnerability via IPv4-Mapped IPv6 Address Validation
A vulnerability in the netaddr library allows bypassing IP address validation for IPv4-mapped IPv6 addresses, leading to potential SSRF attacks. This issue affects all versions of netaddr before 0.10.0, which introduced a fix. The vulnerability stems from the library's failure to correctly identify IPv4-mapped IPv6 addresses as private, link-local, or loopback, thus not adequately protecting against SSRF attacks.
Available publicly on Apr 16 2024 | Available with Premium on Feb 21 2024
Threat Overview
The vulnerability arises from the netaddr library's inability to properly classify IPv4-mapped IPv6 addresses using its is_private
, is_link_local
, and is_loopback
functions. These functions are crucial for determining whether an IP address belongs to a range that should not be accessible from the public internet, as a measure against SSRF attacks. However, due to the oversight in handling IPv4-mapped IPv6 addresses, attackers can bypass these checks, potentially allowing them to make unauthorized requests to internal resources.
Attack Scenario
An attacker crafts a request to a vulnerable application that uses netaddr for IP validation, embedding an IPv4-mapped IPv6 address that maps to an internal IP. Due to the flaw in netaddr, the application fails to recognize the address as internal. Consequently, the attacker can force the application to interact with internal services, leading to SSRF.
Who is affected
Any application or proxy server utilizing the netaddr library for IP address validation to protect against SSRF attacks is vulnerable until updated to version 0.10.0 or later. This includes applications that rely on netaddr to restrict access to non-public IP ranges.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.