GHSA-q4x5-8cj6-52wg

Suggest an improvement
Source
https://github.com/advisories/GHSA-q4x5-8cj6-52wg
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-q4x5-8cj6-52wg/GHSA-q4x5-8cj6-52wg.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-q4x5-8cj6-52wg
Aliases
  • CVE-2026-47684
Published
2026-06-05T16:34:59Z
Modified
2026-06-05T16:45:18.933180123Z
Severity
  • 7.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVSS Calculator
Summary
Sync-in Server: SSRF protection bypass via IPv4-mapped IPv6 addresses in regExpPrivateIP
Details

Summary: The private IP blocklist regex used in the URL download feature does not match IPv4-mapped IPv6 addresses (e.g. ::ffff:127.0.0.1), allowing SSRF protection to be bypassed on dual-stack systems.

Affected components

backend/src/applications/files/services/files-manager.service.ts – downloadFromUrl() checks regExpPrivateIP against request.socket.remoteAddress. backend/src/applications/files/utils/url-file.ts – regExpPrivateIP does not include ::ffff:<ipv4> variants.

Details: The regExpPrivateIP regex in backend/src/applications/files/utils/url-file.ts correctly blocks standard IPv4 private ranges but does not include ::ffff: prefixed variants. On dual-stack systems, Node.js can report a socket's remoteAddress in IPv4-mapped IPv6 form, meaning the check in FilesManager.downloadFromUrl() can be bypassed entirely.

PoC: poc.pdf

Proof: <img width="1080" height="842" alt="1000226655" src="https://github.com/user-attachments/assets/797cea83-0a08-4a16-a91b-31c51068d473" />

Impact: An attacker can supply a crafted URL pointing to an internal address that gets reported as ::ffff:127.0.0.1 or ::ffff:10.x.x.x, causing the server to fetch internal resources that should be blocked. Any user with access to the file download feature is a potential attacker.

Database specific 
{
    "nvd_published_at": null,
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-05T16:34:59Z",
    "cwe_ids": [
        "CWE-918"
    ]
}
References

Affected packages

npm / @sync-in/server

Package

Name
@sync-in/server
View open source insights on deps.dev
Purl
pkg:npm/%40sync-in%2Fserver

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.3.0

Database specific

last_known_affected_version_range 
"<= 2.2.1"
source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-q4x5-8cj6-52wg/GHSA-q4x5-8cj6-52wg.json"