Security Fix: Fix IPv4-mapped IPv6 metadata IP bypass vulnerability#739
Open
mehmoodosman wants to merge 1 commit intogarrytan:mainfrom
Open
Security Fix: Fix IPv4-mapped IPv6 metadata IP bypass vulnerability#739mehmoodosman wants to merge 1 commit intogarrytan:mainfrom
mehmoodosman wants to merge 1 commit intogarrytan:mainfrom
Conversation
This commit fixes a critical security vulnerability where IPv4-mapped IPv6 addresses could bypass the cloud metadata endpoint protection. Vulnerability Details: - The metadata IP 169.254.169.254 (AWS/GCP/Azure metadata endpoint) could be accessed using IPv4-mapped IPv6 addresses like ::ffff:169.254.169.254 or ::ffff:a9fe:a9fe - These formats bypassed the existing isMetadataIp() check which only normalized via the URL constructor, not handling the IPv4-in-IPv6 embedding Changes Made: 1. Added extractIpv4FromMappedIpv6() function to detect and extract IPv4 addresses from IPv4-mapped IPv6 formats: - ::ffff:x.x.x.x (standard IPv4-mapped) - ::x.x.x.x (deprecated IPv4-compatible) - Full forms with all 8 groups - Hex-encoded forms (a9fe:a9fe representing 169.254.169.254) 2. Updated isMetadataIp() to use the new extraction function and check if the extracted IPv4 is a blocked metadata endpoint 3. Added comprehensive test cases for all IPv4-mapped IPv6 bypass variants: - ::ffff:169.254.169.254 - ::ffff:a9fe:a9fe (hex encoding) - ::169.254.169.254 (deprecated) - Full forms with 8 groups - Hex-encoded full forms Security Impact: HIGH - This prevents SSRF attacks targeting cloud metadata endpoints via IPv6 address encoding bypasses. Fixes: garrytan#735 (security advisory)
Author
|
@garrytan this is a critical vulnerability fix for a security vulnerability that can compromise AWS/GCP/Azure credentials with SSRF attacks if they haven't been already. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security Fix: IPv4-mapped IPv6 metadata IP bypass vulnerability
Summary
This PR fixes a critical SSRF vulnerability where IPv4-mapped IPv6 addresses could bypass cloud metadata endpoint protection.
Vulnerability Details
The metadata IP
169.254.169.254(AWS/GCP/Azure metadata endpoint) could be accessed using IPv4-mapped IPv6 addresses, bypassing the existing security controls.Bypass Examples (now blocked):
http://[::ffff:169.254.169.254]/- Standard IPv4-mapped IPv6http://[::ffff:a9fe:a9fe]/- Hex-encoded IPv4-mappedhttp://[::169.254.169.254]/- Deprecated IPv4-compatiblehttp://[0:0:0:0:0:ffff:169.254.169.254]/- Full form with 8 groupshttp://[0:0:0:0:0:0:a9fe:a9fe]/- Full form hex-encodedChanges Made
Added
extractIpv4FromMappedIpv6()function - Detects and extracts IPv4 addresses from IPv4-mapped IPv6 formats including:::ffff:x.x.x.x)::x.x.x.x)a9fe:a9fe=169.254.169.254)Updated
isMetadataIp()function - Now checks if extracted IPv4 addresses are blocked metadata endpointsAdded comprehensive test suite - 8 new test cases covering all IPv4-mapped IPv6 bypass variants
Testing
All tests pass including the new adversarial test cases for IPv4-mapped IPv6 addresses.
Security Impact
HIGH - Prevents SSRF attacks targeting cloud metadata endpoints via IPv6 address encoding bypasses. Could have exposed AWS/GCP/Azure instance credentials.
Checklist
References