CVE-2023-24623
HIGHparanoidhttp < 0.3.0 - Server-Side Request Forgery via IPv6 Loopback Bypass
Title source: llmDescription
Paranoidhttp before 0.3.0 allows SSRF because [::] is equivalent to the 127.0.0.1 address, but does not match the filter for private addresses.
References (3)
Core 3
Core References
Release Notes, Third Party Advisory
https://github.com/hakobe/paranoidhttp/blob/master/CHANGELOG.md#v030-2023-01-19
Patch, Third Party Advisory
https://github.com/hakobe/paranoidhttp/commit/07f671da14ce63a80f4e52432b32e8d178d75fd3
Patch, Third Party Advisory
https://github.com/hakobe/paranoidhttp/compare/v0.2.0...v0.3.0
Scores
CVSS v3
7.5
EPSS
0.0068
EPSS Percentile
47.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-918
Status
published
Products (2)
hakobe/paranoidhttp
0 - 0.3.0Go
paranoidhttp_project/paranoidhttp
< 0.3.0
Published
Jan 30, 2023
Tracked Since
Feb 18, 2026