Skip to main content

safeurl CVE-2026-54452

MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-07-15 https://github.com/doyensec/safeurl GHSA-xgch-x3mx-cm3c
Share

Severity by source

vuln.today AI
4.0 MEDIUM

AC:H because IPv6 must be explicitly enabled (non-default); S:C because SSRF crosses a trust boundary to subsequent systems; C:L for limited internal resource read access; no integrity or availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N

Estimated by vuln.today — no official severity rating has been published for this CVE yet.

Lifecycle Timeline

2
Source Code Evidence Fetched
Jul 15, 2026 - 22:16 vuln.today
Analysis Generated
Jul 15, 2026 - 22:16 vuln.today

DescriptionCVE.org

The privateNetworks blocklist was found to be missing newly added CIDR ranges. More specifically, the following CIDR ranges were not being blocked:

  • 64:ff9b:1::/48: NAT64 local-use prefix (RFC 8215)
  • 5f00::/16: Segment Routing (SRv6) SIDs (RFC 9602)
  • 3fff::/20: documentation prefix (RFC 9637)
  • 100:0:0:1::/64: Dummy IPv6 Prefix (RFC 9780)

Impact

If exploited, an attacker would potentially be able to reach resources hosted on the IPs residing in the missing ranges.

Workarounds

Disable IPv6 by setting EnableIPv6(false). This is the default behavior of the library.

Resolution

Upgrade to v0.2.4

Credits

safeurl thanks @tonghuaroot for reporting.

AnalysisAI

SSRF protection bypass in the Doyensec safeurl Go library (versions prior to 0.2.4) allows network requests to four newly standardized IPv6 CIDR ranges that were absent from the library's internal blocklist. Applications that explicitly enable IPv6 via EnableIPv6(true) and rely on safeurl to enforce SSRF controls are exposed; attackers who can supply attacker-controlled URLs to such applications may reach internal resources hosted on NAT64 local-use (64:ff9b:1::/48), SRv6 SID (5f00::/16), documentation (3fff::/20), or Dummy IPv6 (100:0:0:1::/64) address space. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Supply crafted IPv6 URL to application
Delivery
Application invokes safeurl to validate URL
Exploit
safeurl blocklist misses target IPv6 range
Execution
Outbound request bypasses SSRF filter
Persist
Application fetches internal resource
Impact
Attacker receives sensitive internal response

Vulnerability AssessmentAI

Exploitation Exploitation requires that the consuming application has explicitly called EnableIPv6(true) - this is a non-default configuration, as IPv6 is disabled by default in safeurl. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No official CVSS score or vector was published with this advisory, requiring metric inference from the description. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a web application that uses safeurl with IPv6 enabled to fetch user-supplied URLs, such as a webhook processor or URL preview feature. The attacker submits a URL referencing an internal resource at an address within the 64:ff9b:1::/48 NAT64 range or another unblocked prefix, which the library fails to recognize as private. …
Remediation The primary fix is to upgrade to safeurl v0.2.4, which expands the private network blocklist to include all four missing IPv6 CIDR ranges; the release is available at https://github.com/doyensec/safeurl/releases/tag/v0.2.4. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54452 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy