silverpill@silverpill@mitra.social: #APx v0.24.0<br><br><a class="link-in-note" href="…

Home | Notifications | New Note | Local | Federated | Search | Logout

Note Detail

silverpill@silverpill@mitra.social (2026-05-14 04:21:56)
#APx v0.24.0

https://docs.rs/apx_sdk/0.24.0/apx_sdk/index.html

This release includes fixes for vulnerabilities relating to SSRF protection, similar to ones that were recently discovered in @fedify:

https://hollo.social/@fedify/019e123c-57eb-781d-aa51-ca7dfc190ce7

As it turned out, http://[::ffff:7f00:1]/ is equivalent to http://127.0.0.1/

Full changelog: https://codeberg.org/silverpill/mitra/src/tag/apx-v0.24.0/apx_sdk/CHANGELOG.md


---Replies---

silverpill@silverpill@mitra.social (2026-05-15 03:54:46)
Also updating the AP-Next developer guide:

At the very least, requests to localhost, private and unspecified IPv4 and IPv6 addresses must be blocked. Note that IPv6 addresses can be mapped to IPv4 addresses.

Some people also recommend blocking requests to multicast addresses, but I was not able to find any information on how to use them for SSRF (apart from a couple of slop CVEs).