Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

GHSA-m5x5-28jr-gpjj: pyLoad: SSRF guard bypass via IPv6 6to4/NAT64 transition wrappers of internal IPs

0
Medium
Published: 07/09/2026 (07/09/2026, 13:35:22 UTC)
Source: GCVE Database
Product: pyload-ng

Description

pyload-ng contains a Server-Side Request Forgery (SSRF) vulnerability due to improper validation of IPv6 6to4 and NAT64 transition addresses. The vulnerability arises because the function is_global_address relies on Python's ipaddress.ip_address(value).is_global property, which incorrectly classifies certain IPv6 transition prefixes as globally routable. This allows attackers to bypass SSRF protections and reach internal IPv4 endpoints embedded within these IPv6 addresses. Exploitation requires network conditions that route 6to4 or NAT64 traffic and privileges to add links in pyload-ng. The vulnerability is rated medium severity with a CVSS score of 4.7.

CVSS v3.1

Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
Low
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:L

Affected software

PyPIghsa
pyload-ng
Affected versions
<=0.5.0b3.dev100

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/09/2026, 14:03:08 UTC

Technical Analysis

The SSRF guard in pyload-ng uses the is_global_address function to block non-globally routable IPs, relying on Python's ipaddress.ip_address(value).is_global property. However, this property incorrectly returns True for IPv6 6to4 (2002::/16) and NAT64 (64:ff9b::/96) transition prefixes, which encapsulate internal IPv4 addresses. As a result, pyload-ng's SSRF protections can be bypassed by supplying IPv6 literals or AAAA DNS records that map to internal IPv4 addresses via these transition mechanisms. This leads to potential internal network reconnaissance and limited data exfiltration, such as cloud metadata access. The vulnerability affects pyload-ng versions from the introduction of is_global_address/is_global_host up to an unspecified fixed version. Exploitation requires the host network to route 6to4 or NAT64 traffic and privileges to add links (Perms.ADD).

Potential Impact

An attacker with limited privileges (Perms.ADD) can bypass SSRF protections in pyload-ng by exploiting the incorrect classification of IPv6 6to4 and NAT64 transition addresses as globally routable. This enables internal network reconnaissance and timing-based confirmation of internal endpoints, including potential exfiltration of cloud metadata services. The impact is limited to confidentiality and availability with no direct integrity impact. Exploitation requires specific network routing conditions (6to4 or NAT64) and is rated medium severity (CVSS 4.7).

Mitigation Recommendations

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should be aware that SSRF protections relying on is_global_address may be bypassed via IPv6 transition addresses. Restricting or monitoring the use of IPv6 6to4 and NAT64 prefixes in network configurations and DNS records may reduce risk. Avoid running pyload-ng on Python versions 3.9 through 3.11 where 6to4 is classified as global. Follow vendor updates for official fixes.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
GHSA-m5x5-28jr-gpjj
Osv Schema Version
1.4.0
Aliases
["CVE-2026-48737"]
Ecosystems
["PyPI"]
Database Specific Severity
MODERATE
Cvss Version
3.1

Threat ID: 6a4fa9a168715ace437d3e27

Added to database: 07/09/2026, 14:01:05 UTC

Last enriched: 07/09/2026, 14:03:08 UTC

Last updated: 07/09/2026, 18:16:55 UTC

Views: 13

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses