GHSA-XGCH-X3MX-CM3C
Vulnerability from github – Published: 2026-07-15 21:58 – Updated: 2026-07-15 21:58
VLAI
Summary
safeurl is Missing IPv6 CIDR Ranges in Blocklist
Details
The privateNetworks blocklist was found to be missing newly added CIDR ranges. More specifically, the following CIDR ranges were not being blocked:
- 64:ff9b:1::/48: NAT64 local-use prefix (RFC 8215)
- 5f00::/16: Segment Routing (SRv6) SIDs (RFC 9602)
- 3fff::/20: documentation prefix (RFC 9637)
- 100:0:0:1::/64: Dummy IPv6 Prefix (RFC 9780)
Impact
If exploited, an attacker would potentially be able to reach resources hosted on the IPs residing in the missing ranges.
Workarounds
Disable IPv6 by setting EnableIPv6(false). This is the default behavior of the library.
Resolution
Upgrade to v0.2.4
Credits
safeurl thanks @tonghuaroot for reporting.
Severity
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/doyensec/safeurl"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.2.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-54452"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-15T21:58:03Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "The `privateNetworks` blocklist was found to be missing newly added CIDR ranges. More specifically, the following CIDR ranges were not being blocked:\n- `64:ff9b:1::/48`: NAT64 local-use prefix (RFC 8215)\n- `5f00::/16`: Segment Routing (SRv6) SIDs (RFC 9602)\n- `3fff::/20`: documentation prefix (RFC 9637)\n- `100:0:0:1::/64`: Dummy IPv6 Prefix (RFC 9780)\n\n### Impact\nIf exploited, an attacker would potentially be able to reach resources hosted on the IPs residing in the missing ranges.\n\n### Workarounds\nDisable IPv6 by setting `EnableIPv6(false)`. This is the default behavior of the library.\n\n### Resolution\nUpgrade to v0.2.4\n\n### Credits\nsafeurl thanks @tonghuaroot for reporting.",
"id": "GHSA-xgch-x3mx-cm3c",
"modified": "2026-07-15T21:58:03Z",
"published": "2026-07-15T21:58:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/doyensec/safeurl/security/advisories/GHSA-xgch-x3mx-cm3c"
},
{
"type": "PACKAGE",
"url": "https://github.com/doyensec/safeurl"
},
{
"type": "WEB",
"url": "https://github.com/doyensec/safeurl/releases/tag/v0.2.4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "safeurl is Missing IPv6 CIDR Ranges in Blocklist"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…