PT-2026-60376 · Go · Github.Com/Doyensec/Safeurl

CVE-2026-54452

·

Published

2026-07-15

·

Updated

2026-07-15

CVSS v4.0

6.9

Medium

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
The privateNetworks blocklist was found to be missing newly added CIDR ranges. More specifically, the following CIDR ranges were not being blocked:
  • 64:ff9b:1::/48: NAT64 local-use prefix (RFC 8215)
  • 5f00::/16: Segment Routing (SRv6) SIDs (RFC 9602)
  • 3fff::/20: documentation prefix (RFC 9637)
  • 100:0:0:1::/64: Dummy IPv6 Prefix (RFC 9780)

Impact

If exploited, an attacker would potentially be able to reach resources hosted on the IPs residing in the missing ranges.

Workarounds

Disable IPv6 by setting EnableIPv6(false). This is the default behavior of the library.

Resolution

Upgrade to v0.2.4

Credits

safeurl thanks @tonghuaroot for reporting.

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-54452
GHSA-XGCH-X3MX-CM3C

Affected Products

Github.Com/Doyensec/Safeurl