safeurl CVE-2026-54452
MEDIUMSeverity by source
AC:H because IPv6 must be explicitly enabled (non-default); S:C because SSRF crosses a trust boundary to subsequent systems; C:L for limited internal resource read access; no integrity or availability impact.
Estimated by vuln.today — no official severity rating has been published for this CVE yet.
Lifecycle Timeline
2DescriptionCVE.org
The privateNetworks blocklist was found to be missing newly added CIDR ranges. More specifically, the following CIDR ranges were not being blocked:
64:ff9b:1::/48: NAT64 local-use prefix (RFC 8215)5f00::/16: Segment Routing (SRv6) SIDs (RFC 9602)3fff::/20: documentation prefix (RFC 9637)100:0:0:1::/64: Dummy IPv6 Prefix (RFC 9780)
Impact
If exploited, an attacker would potentially be able to reach resources hosted on the IPs residing in the missing ranges.
Workarounds
Disable IPv6 by setting EnableIPv6(false). This is the default behavior of the library.
Resolution
Upgrade to v0.2.4
Credits
safeurl thanks @tonghuaroot for reporting.
AnalysisAI
SSRF protection bypass in the Doyensec safeurl Go library (versions prior to 0.2.4) allows network requests to four newly standardized IPv6 CIDR ranges that were absent from the library's internal blocklist. Applications that explicitly enable IPv6 via EnableIPv6(true) and rely on safeurl to enforce SSRF controls are exposed; attackers who can supply attacker-controlled URLs to such applications may reach internal resources hosted on NAT64 local-use (64:ff9b:1::/48), SRv6 SID (5f00::/16), documentation (3fff::/20), or Dummy IPv6 (100:0:0:1::/64) address space. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the consuming application has explicitly called EnableIPv6(true) - this is a non-default configuration, as IPv6 is disabled by default in safeurl. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No official CVSS score or vector was published with this advisory, requiring metric inference from the description. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies a web application that uses safeurl with IPv6 enabled to fetch user-supplied URLs, such as a webhook processor or URL preview feature. The attacker submits a URL referencing an internal resource at an address within the 64:ff9b:1::/48 NAT64 range or another unblocked prefix, which the library fails to recognize as private. … |
| Remediation | The primary fix is to upgrade to safeurl v0.2.4, which expands the private network blocklist to include all four missing IPv6 CIDR ranges; the release is available at https://github.com/doyensec/safeurl/releases/tag/v0.2.4. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-xgch-x3mx-cm3c