SSRF Vulnerability via IPv4-Mapped IPv6 Address Validation
A vulnerability in the netaddr library allows bypassing IP address validation for IPv4-mapped IPv6 addresses, leading to potential SSRF attacks. This issue affects all versions of netaddr before 0.10.0, which introduced a fix. The vulnerability stems from the library's failure to correctly identify IPv4-mapped IPv6 addresses as private, link-local, or loopback, thus not adequately protecting against SSRF attacks.
Available publicly on Apr 16 2024 | Available with Premium on Feb 21 2024
Remediation Steps
- Update netaddr to version 0.10.0 or later.
- Review and update any custom IP validation logic to ensure IPv4-mapped IPv6 addresses are correctly identified and handled.
- Consider implementing additional layers of security to mitigate SSRF risks, such as strict input validation, use of allowlists for external services, and employing application firewalls.
Patch Details
- Fixed Version: 0.10.0
- Patch Commit: https://github.com/netaddr/netaddr/commit/6790fa75d4952287a57d5f1ec700fc9f2f5f6e0a
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.