By using IPv4-mapped IPv6 addresses there was a way to bypass Cloudflare server's network protections and start connections to ports on the loopback (127.0.0.1) or internal IP addresses (such as 10.0.0.1). The bug was caused by the way a Go library interprets mapped IP addresses and how our code was checking for banned IPs. The code was fixed and now checks both IPv4 and IPv6 properly.

Actions:

View on HackerOne

Reported by albertspedersen

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Bounty

$7500.00