EXECUTIVE SUMMARY:
CVE-2026-47684 with a CVSS score of 7.7 is a Server-Side Request Forgery (SSRF) weakness in the @sync-in/server package. The flaw resides in the URL download routine, where a regular expression intended to block private-network IP addresses fails to properly recognize certain IPv4-mapped IPv6 formats, allowing a malicious URL to bypass internal-network filtering on dual-stack systems where Node.js reports remote addresses in IPv6 form. An attacker who can invoke the file-download API, typically an authenticated user, can supply a crafted URL that targets internal services, databases, or metadata endpoints; the server then issues outbound requests to those private resources, effectively acting as a proxy. This behavior may enable attackers to enumerate internal assets, exfiltrate sensitive information, or facilitate further attacks from a trusted network context. The business impact includes potential exposure of confidential configuration data, credential leakage, and disruption of internal services, particularly in environments that depend on network segmentation as a security control. Exploitation requires a dual-stack host environment and user-controlled access to the download functionality.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-47684 with a CVSS score of 7.7 is a Server-Side Request Forgery (SSRF) weakness in the @sync-in/server package. The flaw resides in the URL download routine, where a regular expression intended to block private-network IP addresses fails to properly recognize certain IPv4-mapped IPv6 formats, allowing a malicious URL to bypass internal-network filtering on dual-stack systems where Node.js reports remote addresses in IPv6 form. An attacker who can invoke the file-download API, typically an authenticated user, can supply a crafted URL that targets internal services, databases, or metadata endpoints; the server then issues outbound requests to those private resources, effectively acting as a proxy. This behavior may enable attackers to enumerate internal assets, exfiltrate sensitive information, or facilitate further attacks from a trusted network context. The business impact includes potential exposure of confidential configuration data, credential leakage, and disruption of internal services, particularly in environments that depend on network segmentation as a security control. Exploitation requires a dual-stack host environment and user-controlled access to the download functionality.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
[/emaillocker]