CVE-2026-44232: dssrf: every IPv6 category bypasses is_url_safe
(updated )
A vulnerability on dssrf allow, an attacker to use, one of them following ipv6
Input Category
http://[::1]/ IPv6 loopback
http://[fc00::1]/ IPv6 ULA
http://[fe80::1]/ IPv6 link-local
http://[::ffff:127.0.0.1]/ IPv4-mapped loopback
http://[::ffff:169.254.169.254]/ IPv4-mapped IMDS
http://[::ffff:100.64.0.1]/ IPv4-mapped CGNAT
http://[64:ff9b::7f00:1]/ NAT64 well-known prefix
http://[64:ff9b:1::1]/ NAT64 local-use (RFC 8215)
http://[5f00::1]/ SRv6 SID (RFC 9602)
http://[3fff::1]/ IPv6 documentation (RFC 9637)
http://[fec0::1]/ IPv6 site-local (deprecated, RFC 3879)
http://[::127.0.0.1]/ IPv4-compatible IPv6
one of those to bypass dssrf and the attacker get SSRF, we claim that ipv6 disabled entirely that is wrong on our documentation
References
Code Behaviors & Features
Detect and mitigate CVE-2026-44232 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →