GHSA-xgch-x3mx-cm3c: safeurl is Missing IPv6 CIDR Ranges in Blocklist
The safeurl library's privateNetworks blocklist was missing several IPv6 CIDR ranges, including NAT64 local-use prefix, Segment Routing SIDs, documentation prefix, and Dummy IPv6 Prefix. This omission could allow attackers to reach resources within these unblocked IPv6 ranges. The issue affects versions prior to 0.2.4. The vulnerability has moderate severity and can be mitigated by upgrading to version 0.2.4 or disabling IPv6 support, which is the default behavior.
AI Analysis
Technical Summary
The safeurl library's privateNetworks blocklist did not include certain newly added IPv6 CIDR ranges: 64:ff9b:1::/48 (NAT64 local-use prefix), 5f00::/16 (Segment Routing SIDs), 3fff::/20 (documentation prefix), and 100:0:0:1::/64 (Dummy IPv6 Prefix). This omission means these ranges were not blocked as intended, potentially allowing an attacker to access resources hosted on IPs within these ranges. The vulnerability is identified as CVE-2026-54452 and affects versions of safeurl before 0.2.4. The issue is categorized under CWE-918 (Server-Side Request Forgery).
Potential Impact
An attacker could potentially reach internal or otherwise restricted resources hosted on IP addresses within the missing IPv6 CIDR ranges, bypassing the intended blocklist protections. This could lead to unauthorized access or information disclosure related to those resources.
Mitigation Recommendations
Upgrade safeurl to version 0.2.4 or later, where the missing IPv6 CIDR ranges are included in the blocklist. Alternatively, disable IPv6 support by setting EnableIPv6(false), which is the default behavior of the library. These steps effectively mitigate the vulnerability.
GHSA-xgch-x3mx-cm3c: safeurl is Missing IPv6 CIDR Ranges in Blocklist
Description
The safeurl library's privateNetworks blocklist was missing several IPv6 CIDR ranges, including NAT64 local-use prefix, Segment Routing SIDs, documentation prefix, and Dummy IPv6 Prefix. This omission could allow attackers to reach resources within these unblocked IPv6 ranges. The issue affects versions prior to 0.2.4. The vulnerability has moderate severity and can be mitigated by upgrading to version 0.2.4 or disabling IPv6 support, which is the default behavior.
CVSS v4.0
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The safeurl library's privateNetworks blocklist did not include certain newly added IPv6 CIDR ranges: 64:ff9b:1::/48 (NAT64 local-use prefix), 5f00::/16 (Segment Routing SIDs), 3fff::/20 (documentation prefix), and 100:0:0:1::/64 (Dummy IPv6 Prefix). This omission means these ranges were not blocked as intended, potentially allowing an attacker to access resources hosted on IPs within these ranges. The vulnerability is identified as CVE-2026-54452 and affects versions of safeurl before 0.2.4. The issue is categorized under CWE-918 (Server-Side Request Forgery).
Potential Impact
An attacker could potentially reach internal or otherwise restricted resources hosted on IP addresses within the missing IPv6 CIDR ranges, bypassing the intended blocklist protections. This could lead to unauthorized access or information disclosure related to those resources.
Mitigation Recommendations
Upgrade safeurl to version 0.2.4 or later, where the missing IPv6 CIDR ranges are included in the blocklist. Alternatively, disable IPv6 support by setting EnableIPv6(false), which is the default behavior of the library. These steps effectively mitigate the vulnerability.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-xgch-x3mx-cm3c
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-54452"]
- Ecosystems
- ["Go"]
- Database Specific Severity
- MODERATE
- Cvss Version
- 4.0
Threat ID: 6a58b41468715ace43d68313
Added to database: 07/16/2026, 10:36:04 UTC
Last enriched: 07/16/2026, 10:55:57 UTC
Last updated: 07/16/2026, 10:55:57 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.