GHSA-XGCH-X3MX-CM3C

Vulnerability from github – Published: 2026-07-15 21:58 – Updated: 2026-07-15 21:58
VLAI
Summary
safeurl is Missing IPv6 CIDR Ranges in Blocklist
Details

The privateNetworks blocklist was found to be missing newly added CIDR ranges. More specifically, the following CIDR ranges were not being blocked: - 64:ff9b:1::/48: NAT64 local-use prefix (RFC 8215) - 5f00::/16: Segment Routing (SRv6) SIDs (RFC 9602) - 3fff::/20: documentation prefix (RFC 9637) - 100:0:0:1::/64: Dummy IPv6 Prefix (RFC 9780)

Impact

If exploited, an attacker would potentially be able to reach resources hosted on the IPs residing in the missing ranges.

Workarounds

Disable IPv6 by setting EnableIPv6(false). This is the default behavior of the library.

Resolution

Upgrade to v0.2.4

Credits

safeurl thanks @tonghuaroot for reporting.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/doyensec/safeurl"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.2.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-54452"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-15T21:58:03Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "The `privateNetworks` blocklist was found to be missing newly added CIDR ranges. More specifically, the following CIDR ranges were not being blocked:\n- `64:ff9b:1::/48`: NAT64 local-use prefix (RFC 8215)\n- `5f00::/16`: Segment Routing (SRv6) SIDs (RFC 9602)\n- `3fff::/20`: documentation prefix (RFC 9637)\n- `100:0:0:1::/64`: Dummy IPv6 Prefix (RFC 9780)\n\n### Impact\nIf exploited, an attacker would potentially be able to reach resources hosted on the IPs residing in the missing ranges.\n\n### Workarounds\nDisable IPv6 by setting `EnableIPv6(false)`. This is the default behavior of the library.\n\n### Resolution\nUpgrade to v0.2.4\n\n### Credits\nsafeurl thanks @tonghuaroot for reporting.",
  "id": "GHSA-xgch-x3mx-cm3c",
  "modified": "2026-07-15T21:58:03Z",
  "published": "2026-07-15T21:58:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/doyensec/safeurl/security/advisories/GHSA-xgch-x3mx-cm3c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/doyensec/safeurl"
    },
    {
      "type": "WEB",
      "url": "https://github.com/doyensec/safeurl/releases/tag/v0.2.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "safeurl is Missing IPv6 CIDR Ranges in Blocklist"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…