Skip to main content

CC-Tweaked CVE-2026-47695

HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-29 https://github.com/cc-tweaked/CC-Tweaked GHSA-5jh9-2h63-pw4q
Share

Lifecycle Timeline

2
Source Code Evidence Fetched
May 29, 2026 - 20:50 vuln.today
Analysis Generated
May 29, 2026 - 20:50 vuln.today

DescriptionCVE.org

Summary

CC-Tweaked's HTTP API (http.request, http.websocket) blocks requests to private network ranges to prevent server-side request forgery (SSRF). This protection can be bypassed on IPv6-capable servers using NAT64 well-known prefix addresses (64:ff9b::/96). An attacker who can execute Lua code can reach any internal IPv4 service that the filter is intended to block, by addressing it as http://[64:ff9b::<ipv4-as-hex>]/ instead of its direct IPv4 address. This affects any CC-Tweaked deployment on a network with NAT64 routing - a configuration that is standard on AWS, GCP, and other cloud platforms when using IPv6-only subnets.

Details

The IP filter in PrivatePattern.matches() (AddressPredicate.java#L121-L130) blocks private network ranges by calling Java's standard InetAddress classification methods:

java
public boolean matches(InetAddress socketAddress) {
    return socketAddress.isAnyLocalAddress()
        || socketAddress.isLoopbackAddress()
        || socketAddress.isLinkLocalAddress()
        || socketAddress.isSiteLocalAddress()
        || socketAddress.isMulticastAddress()
        || isUniqueLocalAddress(socketAddress)
        || isCarrierGradeNatAddress(socketAddress)
        || additionalAddresses.contains(socketAddress);
}

When a NAT64 address such as 64:ff9b::c0a8:0101 (encoding 192.168.1.1) is resolved via new InetSocketAddress("64:ff9b::c0a8:0101", 80), Java returns an Inet6Address. Every method above returns false for this address - the 64:ff9b::/96 prefix is not recognised by any of Java's built-in classification methods. The address passes the filter and CC-Tweaked opens a connection.

On a network with a 64:ff9b::/96 → NAT Gateway route, that connection is translated at the network level: the embedded IPv4 address is extracted and the packet is forwarded to 192.168.1.1:80. The internal service receives a normal IPv4 TCP connection.

The existing 6to4 (2002::/16) mitigation in AddressRule.java#L74-L75 does not cover the NAT64 prefix. No other check catches 64:ff9b::/96.

PoC

Preconditions (all three required):

  1. The server running CC-Tweaked has an IPv6 address assigned
  2. The network has a NAT Gateway (or equivalent)
  3. The route table contains 64:ff9b::/96 → NAT Gateway - the standard AWS/GCP configuration for IPv6-only subnets with outbound IPv4 access (AWS documentation)

Lua payload (targets an internal service at 10.0.1.17:8888):

lua
-- 10.0.1.17 = 0x0a000111, expressed as NAT64: 64:ff9b::0a00:0111
local res = http.request("http://[64:ff9b::0a00:0111]:8888/")
if res then print(res.readAll()) end

Conversion formula - for any blocked IPv4 a.b.c.d, the bypass address is:

64:ff9b::<hex(a)><hex(b)>:<hex(c)><hex(d)>

Impact

This is a server-side request forgery (SSRF) vulnerability. Any user able to execute Lua code on a CC-Tweaked computer - including players on a public server - can use it to send HTTP requests to internal IPv4 services that the HTTP filter is designed to block. On cloud-hosted servers (AWS, GCP, Azure) using IPv6-only subnets with NAT64, which is an increasingly common configuration following AWS's February 2024 public IPv4 pricing change, this includes other instances in the VPC, internal databases, and cloud management APIs.

Suggested fix: add a check for the NAT64 well-known prefix in PrivatePattern.matches():

java
|| isNAT64Address(socketAddress)

private boolean isNAT64Address(InetAddress address) {
    if (!(address instanceof Inet6Address)) return false;
    byte[] b = address.getAddress();
    // 64:ff9b::/96 - NAT64 well-known prefix (RFC 6052)
    return b[0] == 0x00 && b[1] == 0x64 &&
           b[2] == (byte) 0xff && b[3] == (byte) 0x9b &&
           b[4] == 0 && b[5] == 0 && b[6] == 0 && b[7] == 0 &&
           b[8] == 0 && b[9] == 0 && b[10] == 0 && b[11] == 0;
}

This vulnerability does not seem to work on servers running on modern versions of MacOS.

AnalysisAI

Server-side request forgery in CC-Tweaked (a Minecraft mod providing in-game programmable computers via Lua) allows any player able to run Lua code to bypass the mod's HTTP private-network filter by addressing internal IPv4 services through NAT64 well-known prefix addresses (64:ff9b::/96). On cloud-hosted Minecraft servers using IPv6-only subnets with NAT64 routing (the default outbound-IPv4 path on AWS and GCP), this exposes other VPC instances, internal databases, and cloud metadata/management APIs. Publicly available exploit code exists via the GitHub Security Advisory PoC; no public exploit identified at time of analysis as being used in the wild and the issue is not listed in CISA KEV.

Technical ContextAI

CC-Tweaked exposes an HTTP API (http.request, http.websocket) to in-game Lua programs and enforces an SSRF allowlist in PrivatePattern.matches() within AddressPredicate.java. That filter relies entirely on Java's built-in java.net.InetAddress classification helpers (isLoopbackAddress, isSiteLocalAddress, isLinkLocalAddress, isMulticastAddress, etc.) plus custom checks for ULA, CGNAT, and 6to4 (2002::/16). None of these recognise the NAT64 well-known prefix defined by RFC 6052 (64:ff9b::/96), which embeds an IPv4 address in the low 32 bits of an IPv6 address. When a network operates a NAT64 gateway - the standard configuration AWS and GCP recommend for IPv6-only subnets that need outbound IPv4, especially after AWS's February 2024 public IPv4 pricing change - packets to 64:ff9b::<ipv4-hex> are translated to the embedded IPv4 destination, defeating the filter. The root cause is CWE-918 (SSRF): an incomplete blocklist that fails to anticipate IPv6 representations of private IPv4 destinations.

RemediationAI

Upgrade CC-Tweaked to version 1.119.0 or later for the corresponding Minecraft branch - this is the vendor-released patch and adds an isNAT64Address() check for the 64:ff9b::/96 prefix in PrivatePattern.matches() as described in GHSA-5jh9-2h63-pw4q. If immediate upgrade is not possible, operators on cloud platforms should remove or restrict the 64:ff9b::/96 → NAT gateway route in the VPC route table (this eliminates the bypass but also breaks any legitimate IPv6-to-IPv4 outbound traffic from the subnet), deploy the server on a host without an IPv6 address or without NAT64 routing (which removes the attack path entirely but may be operationally undesirable post-AWS IPv4 pricing changes), or restrict the CC-Tweaked HTTP allowlist via the mod's http rules in computercraft-server.toml to a small explicit allowlist of external hosts rather than relying on the private-range blocklist (this trades convenience for safety since legitimate external HTTP use cases from Lua scripts will break). Hardening cloud-metadata endpoints with IMDSv2 / hop-limit 1 also reduces the worst-case impact of SSRF reaching 169.254.169.254-equivalent services.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

CVE-2026-47695 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy