CVE-2026-44232

描述

A vulnerability in dssrf allows an attacker to bypass its SSRF protections by supplying one of the following IPv6 addresses, resulting in a successful SSRF. This contradicts dssrf documentation, which incorrectly claims that IPv6 is disabled entirely. See below: ```rust Input Category http://[::1]/ IPv6 loopback http://[fc00::1]/ IPv6 ULA http://[fe80::1]/ IPv6 link-local http://[::ffff:127.0.0.1]/ IPv4-mapped loopback http://[::ffff:169.254.169.254]/ IPv4-mapped IMDS http://[::ffff:100.64.0.1]/ IPv4-mapped CGNAT http://[64:ff9b::7f00:1]/ NAT64 well-known prefix http://[64:ff9b:1::1]/ NAT64 local-use (RFC 8215) http://[5f00::1]/ SRv6 SID (RFC 9602) http://[3fff::1]/ IPv6 documentation (RFC 9637) http://[fec0::1]/ IPv6 site-local (deprecated, RFC 3879) http://[::127.0.0.1]/ IPv4-compatible IPv6 ``` ### POC ```bash mkdir dssrf-poc && cd dssrf-poc npm init -y >/dev/null npm install dssrf@^1.0.2 cat > audit.js <<'EOF' const dssrf = require('dssrf'); const cases = [ ['http://[::1]/', 'IPv6 loopback'], ['http://[fc00::1]/', 'IPv6 ULA'], ['http://[fe80::1]/', 'IPv6 link-local'], ['http://[::ffff:127.0.0.1]/', 'IPv4-mapped loopback'], ['http://[::ffff:169.254.169.254]/', 'IPv4-mapped IMDS'], ['http://[64:ff9b::7f00:1]/', 'NAT64 well-known + 127.0.0.1'], ['http://[64:ff9b:1::1]/', 'NAT64 local-use (RFC 8215)'], ['http://[5f00::1]/', 'SRv6 SID (RFC 9602)'], ['http://[fec0::1]/', 'IPv6 site-local deprecated'], ['http://127.0.0.1/', 'IPv4 loopback (control)'], ['http://10.0.0.1/', 'IPv4 RFC1918 (control)'], ['http://8.8.8.8/', 'PUBLIC IPv4 (control)'], ]; (async () => { for (const [url, label] of cases) { const safe = await dssrf.is_url_safe(url); console.log(`${safe ? '✓ALLOW' : '·block'} ${url.padEnd(40)} ${label}`); } })(); EOF node audit.js ``` ### Credit dssrf thanks <[email protected]> for reporting this issue responsibly. ### Update Users should immediately update to dssrf 1.3.0. ### Lessons Learned As seen both in the past and today, many advisories and CVE bypasses leverage IPv6. IPv6 remains the weakest link, as it is rarely configured correctly and seldom tested. In this case, while IPv4 was properly blocked, the corresponding IPv6 blocking logic was completely broken and never actually worked.,

如何修補 CVE-2026-44232

要修補 CVE-2026-44232,請將受影響套件升級到下列已修補版本。

描述

如何修補 CVE-2026-44232

CVE-2026-44232 正在被利用嗎?

受影響套件(1)

CVSS 分數

參考連結(2)