Description
Sync-in Server is a secure, open-source platform for file storage, sharing, collaboration, and syncing. Prior to version 2.3.0, the private IP blocklist regex used in the URL download feature does not match IPv4-mapped IPv6 addresses (e.g. ::ffff:127.0.0.1), allowing SSRF protection to be bypassed on dual-stack systems. Version 2.3.0 fixes the issue.
Published: 2026-06-16
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Sync‑in Server’s URL download routine used a regular expression to block private IP addresses, but the pattern failed to match IPv4‑mapped IPv6 addresses such as ::ffff:127.0.0.1. This flaw allows an attacker to supply a URL that resolves to a local resource while appearing to point to a public address, thus bypassing the SSRF protection. The outcome is that an attacker can trick the server into fetching internal files, credentials, or other sensitive data, violating confidentiality and integrity of the system.

Affected Systems

The vulnerability affects the Sync‑in Server platform. All deployments running a version older than 2.3.0 are susceptible. The fix was released with the v2.3.0 release, which updated the regular expression to block IPv4‑mapped IPv6 addresses.

Risk and Exploitability

The CVSS score of 7.7 indicates a high impact, while the EPSS score of less than 1% shows that exploitation is currently considered uncommon. Because the vulnerability depends on the ability to forge a URL directed at a private resource, it is local or external based on the network topology. The issue is not listed in the CISA KEV catalog, yet it remains a significant threat for environments that enable the download feature.

Generated by OpenCVE AI on June 17, 2026 at 21:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Sync‑in Server to version 2.3.0 or later to apply the regular‑expression patch.
  • If an upgrade is not immediately possible, restrict the download feature so that it only accepts URLs whose host resolves to a public IP, or block internal IP ranges through network firewall rules.
  • Disable or limit the use of IPv6 URLs in the download path if the application logic allows, to eliminate the mapped‑address attack surface.

Generated by OpenCVE AI on June 17, 2026 at 21:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q4x5-8cj6-52wg Sync-in Server: SSRF protection bypass via IPv4-mapped IPv6 addresses in regExpPrivateIP
History

Tue, 16 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Sync-in
Sync-in server
Vendors & Products Sync-in
Sync-in server

Tue, 16 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description Sync-in Server is a secure, open-source platform for file storage, sharing, collaboration, and syncing. Prior to version 2.3.0, the private IP blocklist regex used in the URL download feature does not match IPv4-mapped IPv6 addresses (e.g. ::ffff:127.0.0.1), allowing SSRF protection to be bypassed on dual-stack systems. Version 2.3.0 fixes the issue.
Title Sync-in Server: SSRF protection bypass via IPv4-mapped IPv6 addresses in regExpPrivateIP
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-16T17:10:12.548Z

Reserved: 2026-05-19T21:18:20.402Z

Link: CVE-2026-47684

cve-icon Vulnrichment

Updated: 2026-06-16T17:01:51.847Z

cve-icon NVD

Status : Deferred

Published: 2026-06-16T15:16:41.063

Modified: 2026-06-16T19:16:55.613

Link: CVE-2026-47684

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T21:45:02Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)