fix: block IPv6 6to4, NAT64, site-local and CGNAT ranges in IsPublicIP#3031
Merged
Conversation
dgageot
approved these changes
Jun 9, 2026
This comment was marked as low quality.
This comment was marked as low quality.
Sorry, something went wrong.
This was referenced Jun 9, 2026
Closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Extends
IsPublicIPinpkg/httpclient/ssrf.goto block two categories of addresses that bypass the existing Go stdlib checks:100.64.0.0/10(RFC 6598): not covered byIsPrivate()2002::/16(RFC 3056, 6to4)64:ff9b::/96(RFC 6052, NAT64 well-known)64:ff9b:1::/48(RFC 8215, NAT64 local-use)fec0::/10(RFC 3879, site-local, deprecated)On dual-stack or NAT64-enabled hosts (default in IPv6-only GKE, AWS IPv6-only EC2, Azure IPv6 VMs), addresses like
64:ff9b::a9fe:a9fetranslate directly to169.254.169.254(cloud metadata). The existing blocklist did not catch these.Also adds a
mustCIDRhelper that panics at startup on a malformed CIDR literal, replacing silent failure at runtime.Why
Same class of vulnerability as GHSA-r48c-v28r-pf6v (modelcontextprotocol/registry), fixed upstream in their PR #1250. The
IsPublicIPfunction is the SSRF guard for all outbound HTTP in docker-agent (fetch tool, api tool, openapi tool, a2a tool, MCP OAuth, skills cache, config loading). All verified live to pass the old filter.Testing
29 new test cases in
TestIsPublicIPand 5 new cases inTestSSRFDialControl, including concrete attack IPs (e.g.2002:a9fe:a9fe::which encodes169.254.169.254) and boundary cases confirming no over-blocking.