CVE-2026-44232: dssrf: every IPv6 category bypasses is_url_safe
A vulnerability in dssrf allows an attacker to bypass its SSRF protections by supplying one of the following IPv6 addresses, resulting in a successful SSRF. This contradicts dssrf documentation, which incorrectly claims that IPv6 is disabled entirely. See below:
Input Category
http://[::1]/ IPv6 loopback
http://[fc00::1]/ IPv6 ULA
http://[fe80::1]/ IPv6 link-local
http://[::ffff:127.0.0.1]/ IPv4-mapped loopback
http://[::ffff:169.254.169.254]/ IPv4-mapped IMDS
http://[::ffff:100.64.0.1]/ IPv4-mapped CGNAT
http://[64:ff9b::7f00:1]/ NAT64 well-known prefix
http://[64:ff9b:1::1]/ NAT64 local-use (RFC 8215)
http://[5f00::1]/ SRv6 SID (RFC 9602)
http://[3fff::1]/ IPv6 documentation (RFC 9637)
http://[fec0::1]/ IPv6 site-local (deprecated, RFC 3879)
http://[::127.0.0.1]/ IPv4-compatible IPv6
References
Code Behaviors & Features
Detect and mitigate CVE-2026-44232 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →