GHSA-m5x5-28jr-gpjj: pyLoad: SSRF guard bypass via IPv6 6to4/NAT64 transition wrappers of internal IPs
mediumvulnerability
security
Summary
pyLoad has a security flaw where its SSRF (server-side request forgery, a vulnerability that lets attackers make the application access internal systems) guard can be bypassed using special IPv6 addresses that wrap internal IP addresses. Specifically, 6to4 and NAT64 (IPv6 transition techniques that encode IPv4 addresses inside IPv6 format) are incorrectly classified as globally routable by Python's built-in IP checking, allowing attackers to reach internal systems like 127.0.0.1 or 10.0.0.1 when the host network supports these transition methods.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Disclosure Date
July 9, 2026
Classification
Attack SophisticationModerate
Affected Packages
pyload-ng@<= 0.5.0b3.dev100
Monthly digest — independent AI security research
Original source: https://github.com/advisories/GHSA-m5x5-28jr-gpjj
First tracked: July 9, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 95%