github.com/hakobe/paranoidhttp is vulnerable to Server-Side Request Forgery. The vulnerability exists due to the ip.To4
parameter in the safeAddr
function of client.go
, as the library matches [::] to the 127.0.0.1 address, but lacks filtering of private address, which allows a remote attacker to abuse server functionality and access or modify server resources.