Impact
Sync‑in Server’s URL download routine used a regular expression to block private IP addresses, but the pattern failed to match IPv4‑mapped IPv6 addresses such as ::ffff:127.0.0.1. This flaw allows an attacker to supply a URL that resolves to a local resource while appearing to point to a public address, thus bypassing the SSRF protection. The outcome is that an attacker can trick the server into fetching internal files, credentials, or other sensitive data, violating confidentiality and integrity of the system.
Affected Systems
The vulnerability affects the Sync‑in Server platform. All deployments running a version older than 2.3.0 are susceptible. The fix was released with the v2.3.0 release, which updated the regular expression to block IPv4‑mapped IPv6 addresses.
Risk and Exploitability
The CVSS score of 7.7 indicates a high impact, while the EPSS score of less than 1% shows that exploitation is currently considered uncommon. Because the vulnerability depends on the ability to forge a URL directed at a private resource, it is local or external based on the network topology. The issue is not listed in the CISA KEV catalog, yet it remains a significant threat for environments that enable the download feature.
OpenCVE Enrichment
Github GHSA