[kaetemi]

Seems like this is a common error, systems that treat IPv4 and IPv6 addresses as entirely distinct things. The mapping is easily missed in new implementations. Wonder how many vulnerabilities there are out there with this same mistake.

[arkadiyt]

It's a common bypass of server side request forgery filtering. Backends will try to validate that a user-submitted url doesn't resolve to an internal IPv4 address, but they'll happily allow an IPv6 mapped version for the same IPv4 address.

[superjan]

Yes, and what other vulnerabilities would be out there? IP6 is something that nearly all machines have, and have enabled, but it is rarely used.

[aranelsurion]

One potential scenario is bypassing rate limits, enabling abuse, scraping etc. because of the large IP blocks each customer is granted, and seemingly the lack of standardization there.

The assumption of there being a finite amount of IPs to cycle for an attack doesn’t entirely hold with IPv6, and seems like not all software is configured to take that into account.

Explained here better: https://adam-p.ca/blog/2022/02/ipv6-rate-limiting/

[hot_gril]

Unsavory but true, it's nice in a way that ip addrs have a cost. Kinda like phone numbers.

The naive suggestion for ipv6 in that article is what I first thought, block a /64, but since that might still be too cheap, it also quotes a more robust algo of dynamically expanding the blocking scope.