Skip to content

fix(security): resolve IPv4 signed 32-bit integer overflow in SSRF protection (#3118)#3140

Open
desireddymohithreddy0925 wants to merge 1 commit into
Priyanshu-byte-coder:mainfrom
desireddymohithreddy0925:fix/ip-overflow-ssrf
Open

fix(security): resolve IPv4 signed 32-bit integer overflow in SSRF protection (#3118)#3140
desireddymohithreddy0925 wants to merge 1 commit into
Priyanshu-byte-coder:mainfrom
desireddymohithreddy0925:fix/ip-overflow-ssrf

Conversation

@desireddymohithreddy0925

Copy link
Copy Markdown
Contributor

Summary

Resolves a critical Server-Side Request Forgery (SSRF) bypass by fixing a signed 32-bit integer overflow in the IP parsing logic.

Closes #3118


Type of Change

  • 🔒 Security fix

What Changed

  • Updated the ipToNumber utility in src/lib/ssrf-protection.ts to construct IP numbers using safe unsigned multiplication instead of bitwise shifting, preventing values like 192.x.x.x and 172.x.x.x from wrapping into negative numbers and bypassing private IP range checks.

@github-actions github-actions Bot added gssoc26 GSSoC 2026 contribution type:bug GSSoC type bonus: bug fix type:security GSSoC type bonus: security (+20 pts) labels Jul 5, 2026
@github-actions github-actions Bot added type:feature GSSoC type bonus: new feature type:performance GSSoC type bonus: performance (+15 pts) labels Jul 5, 2026
@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown

GSSoC Label Checklist 🏷️

@Priyanshu-byte-coder — please apply the appropriate labels before merging:

Difficulty (pick one):

  • level:beginner — 20 pts
  • level:intermediate — 35 pts
  • level:advanced — 55 pts
  • level:critical — 80 pts

Quality (optional):

  • quality:clean — ×1.2 multiplier
  • quality:exceptional — ×1.5 multiplier

Validation (required to score):

  • gssoc:approved — counts for points
  • gssoc:invalid / gssoc:spam / gssoc:ai-slop — does not score

Type labels (type:*) are auto-detected from files and title. Review and adjust if needed.
Points formula: (difficulty × quality_multiplier) + type_bonus

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

gssoc26 GSSoC 2026 contribution type:bug GSSoC type bonus: bug fix type:feature GSSoC type bonus: new feature type:performance GSSoC type bonus: performance (+15 pts) type:security GSSoC type bonus: security (+20 pts)

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[SECURITY] JavaScript Signed 32-Bit Integer Overflow in IP Parsing Bypasses SSRF Protection for 192.168.x.x and 172.16.x.x

1 participant