LogicalBreach Academy

SSRF Filter Bypass via Unblocked NAT64 Local-Use IPv6 Prefix (64:ff9b:1::/48) | Free Bug Bounty Writeup | LogicalBreach Academy

Back

Server-Side Request Forgery (SSRF)CVSS 7.5Hard

SSRF Filter Bypass via Unblocked NAT64 Local-Use IPv6 Prefix (64:ff9b:1::/48)

hackerone-reports

April 4, 2026

10 views

Save

€0

Vulnerability Summary

HackerOne disclosed report --> https://hackerone.com/reports/3634400 by tipsen

Summary:

ssrf_filter v1.3.0 blocks 64:ff9b::/96, but doesnt block the NAT64 local-use prefix 64:ff9b:1::/48, allowing those addresses to be treated as public. This enables SSRF requests through /fetch to internal-equivalent targets encoded under that prefix when routable in the deployment environment.

Steps To Reproduce:

Like previous report, start our lab first :) (I'm using the library in Docker)
Start a second app container with NET_ADMIN so we can add a test IPv6 route/address.

TIPSEN:~:% NET=$(docker inspect ssrf_filter_lab --format '{{range $k,$v := .NetworkSettings.Networks}}{{$k}}{{end}}')
TIPSEN:~:% docker rm -f ssrf_filter_lab_netadmin 2>/dev/null || true
ssrf_filter_lab_netadmin

Identification Required

You must be logged in to read this writeup. Join our community of researchers today.

Discussion

No comments yet.

Be the first to share your thoughts