CVE-2024-24790
published 2024-06-05CVE-2024-24790: The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return…
PriorityP349critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.95%
77.7th percentile
The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.
Affected
27 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | — | — |
| debian | golang-1.19 | — | — |
| github.com | axllent_mailpit | >= 0 < 1.30.2 | 1.30.2 |
| github.com | crossplane_crossplane | >= 1.15.5 < 1.15.6 | 1.15.6 |
| github.com | crossplane_crossplane | >= 1.16.2 < 1.16.3 | 1.16.3 |
| github.com | crossplane_crossplane | >= 1.17.1 < 1.17.2 | 1.17.2 |
| github.com | traefik_traefik | >= 0 < 2.11.4 | 2.11.4 |
| github.com | traefik_traefik_v2 | >= 0 < 2.11.4 | 2.11.4 |
| github.com | traefik_traefik_v3 | >= 3.0.0-beta3 < 3.0.2 | 3.0.2 |
| go_standard_library | net_netip | < 1.21.11 | 1.21.11 |
| go_standard_library | net_netip | >= 1.22.0-0 < 1.22.4 | 1.22.4 |
| golang | go | < 1.21.11 | 1.21.11 |
| golang | go | >= 1.22.0 < 1.22.4 | 1.22.4 |
| msrc | azl3_gcc_13.2.0-7_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.24.3-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_python-tensorboard_2.16.2-6_on_azure_linux_3.0 | — | — |
| msrc | azl3_tensorflow_2.16.1-9_on_azure_linux_3.0 | — | — |
| msrc | cbl2_golang_1.17.13-2_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_golang_1.18.8-4_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_golang_1.18.8-7_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_golang_1.21.11-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_golang_1.22.3-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_golang_1.22.7-3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_msft-golang_1.21.6-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_msft-golang_1.24.1-2_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_msrc9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Mailpit: Incomplete SSRF protection in Link Check API via IPv6 transition mechanisms
ghsa·2026-06-19·CVSS 8.6
CVE-2026-55187 [HIGH] CWE-918 Mailpit: Incomplete SSRF protection in Link Check API via IPv6 transition mechanisms
Mailpit: Incomplete SSRF protection in Link Check API via IPv6 transition mechanisms
## Summary
The remediation shipped in mailpit v1.29.2 for [GHSA-mpf7-p9x7-96r3](https://github.com/axllent/mailpit/security/advisories/GHSA-mpf7-p9x7-96r3) (CVE-2026-27808) is incomplete. The `tools.IsInternalIP` deny-list relies on Go's stdlib classification helpers (`IsLoopback`, `IsPrivate`, `IsLinkLocalUnicast`, `IsLinkLocalMulticast`, `IsUnspecified`, `IsMulticast`) plus an inline CGNAT range, but those helpers do **not** match two classes of IPv6 address that should be blocked for SSRF purposes:
1. **IPv6 forms that embed an IPv4 destination via documented translation mechanisms** — 6to4, NAT64, IPv4-compatible IPv6, ISATAP, or (in older Go versions) IPv4-mapped IPv6. These let an attacker reach i
OSV
golang-1.18 vulnerabilities
osv·2024-11-14·CVSS 7.5
CVE-2022-41723 [HIGH] golang-1.18 vulnerabilities
golang-1.18 vulnerabilities
Philippe Antoine discovered that Go incorrectly handled crafted HTTP/2
streams. An attacker could possibly use this issue to cause a denial of
service. (CVE-2022-41723)
Marten Seemann discovered that Go did not properly manage memory under
certain circumstances. An attacker could possibly use this issue to cause
a panic resulting in a denial of service. (CVE-2022-41724)
Ameya Darshan and Jakob Ackermann discovered that Go did not properly
validate the amount of memory and disk files ReadForm can consume. An
attacker could possibly use this issue to cause a panic resulting in a
denial of service. (CVE-2022-41725)
Hunter Wittenborn discovered that Go incorrectly handled the sanitization
of environment variables. An attacker could possibly use this issue to run
OSV
github.com/crossplane/crossplane: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses
osv·2024-10-25·CVSS 9.8
[CRITICAL] github.com/crossplane/crossplane: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses
github.com/crossplane/crossplane: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses
A critical vulnerability was reported in the versions of golang that Crossplane depends on. Details of the golang vulnerability are included below. Crossplane does not directly use the vulnerable functions from the `net/netip` package, but the version of golang libraries, runtime, and build tools have still been updated as part of this security advisory nonetheless.
**Critical Vulnerabilities**
Vulnerability: [CVE-2024-24790](https://nvd.nist.gov/vuln/detail/CVE-2024-24790), `golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses`
Description: The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returni
GHSA
github.com/crossplane/crossplane: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses
ghsa·2024-10-25·CVSS 9.8
[CRITICAL] github.com/crossplane/crossplane: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses
github.com/crossplane/crossplane: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses
A critical vulnerability was reported in the versions of golang that Crossplane depends on. Details of the golang vulnerability are included below. Crossplane does not directly use the vulnerable functions from the `net/netip` package, but the version of golang libraries, runtime, and build tools have still been updated as part of this security advisory nonetheless.
**Critical Vulnerabilities**
Vulnerability: [CVE-2024-24790](https://nvd.nist.gov/vuln/detail/CVE-2024-24790), `golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses`
Description: The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returni
OSV
golang-1.21, golang-1.22 vulnerabilities
osv·2024-07-09·CVSS 7.5
CVE-2023-45288 [HIGH] golang-1.21, golang-1.22 vulnerabilities
golang-1.21, golang-1.22 vulnerabilities
It was discovered that the Go net/http module did not properly handle the
requests when request\'s headers exceed MaxHeaderBytes. An attacker could
possibly use this issue to cause a panic resulting into a denial of service.
This issue only affected Go 1.21 in Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
(CVE-2023-45288)
It was discovered that the Go net/http module did not properly validate the
subdomain match or exact match of the initial domain. An attacker could
possibly use this issue to read sensitive information. This issue only
affected Go 1.21 in Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2023-45289)
It was discovered that the Go net/http module did not properly validate the
total size of the parsed form when parsing a multipart form. An atta
GHSA
Traefik has unexpected behavior with IPv4-mapped IPv6 addresses
ghsa·2024-06-11·CVSS 9.8
CVE-2024-24790 [CRITICAL] CWE-180 Traefik has unexpected behavior with IPv4-mapped IPv6 addresses
Traefik has unexpected behavior with IPv4-mapped IPv6 addresses
### Impact
There is a vulnerability in [Go managing various Is methods (IsPrivate, IsLoopback, etc) for IPv4-mapped IPv6 addresses](https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ).
They didn't work as expected returning false for addresses which would return true in their traditional IPv4 forms.
### References
- [CVE-2024-24790](https://www.cve.org/CVERecord?id=CVE-2024-24790)
### Patches
- https://github.com/traefik/traefik/releases/tag/v2.11.4
- https://github.com/traefik/traefik/releases/tag/v3.0.2
### Workarounds
No workaround.
### For more information
If you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).
OSV
Traefik has unexpected behavior with IPv4-mapped IPv6 addresses
osv·2024-06-11·CVSS 9.8
CVE-2024-24790 [CRITICAL] Traefik has unexpected behavior with IPv4-mapped IPv6 addresses
Traefik has unexpected behavior with IPv4-mapped IPv6 addresses
### Impact
There is a vulnerability in [Go managing various Is methods (IsPrivate, IsLoopback, etc) for IPv4-mapped IPv6 addresses](https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ).
They didn't work as expected returning false for addresses which would return true in their traditional IPv4 forms.
### References
- [CVE-2024-24790](https://www.cve.org/CVERecord?id=CVE-2024-24790)
### Patches
- https://github.com/traefik/traefik/releases/tag/v2.11.4
- https://github.com/traefik/traefik/releases/tag/v3.0.2
### Workarounds
No workaround.
### For more information
If you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).
GHSA
GHSA-49gw-vxvf-fc2g: The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would
ghsa_unreviewed·2024-06-05
CVE-2024-24790 [CRITICAL] GHSA-49gw-vxvf-fc2g: The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would
The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.
OSV
CVE-2024-24790: The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would
osv·2024-06-05·CVSS 9.8
CVE-2024-24790 [CRITICAL] CVE-2024-24790: The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would
The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.
OSV
Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses in net/netip
osv·2024-06-04
CVE-2024-24790 Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses in net/netip
Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses in net/netip
The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.
Ubuntu
Go vulnerabilities
vendor_ubuntu·2024-11-14·CVSS 7.5
CVE-2023-29405 [HIGH] Go vulnerabilities
Title: Go vulnerabilities
Summary: Several security issues were fixed in Go.
Philippe Antoine discovered that Go incorrectly handled crafted HTTP/2
streams. An attacker could possibly use this issue to cause a denial of
service. (CVE-2022-41723)
Marten Seemann discovered that Go did not properly manage memory under
certain circumstances. An attacker could possibly use this issue to cause
a panic resulting in a denial of service. (CVE-2022-41724)
Ameya Darshan and Jakob Ackermann discovered that Go did not properly
validate the amount of memory and disk files ReadForm can consume. An
attacker could possibly use this issue to cause a panic resulting in a
denial of service. (CVE-2022-41725)
Hunter Wittenborn discovered that Go incorrectly handled the sanitization
of environment variables
Palo Alto
PAN-SA-2024-0012 Informational Bulletin: OSS CVEs fixed in PAN-OS
vendor_paloalto·2024-10-29·CVSS 9.8
CVE-2019-17006 [CRITICAL] PAN-SA-2024-0012 Informational Bulletin: OSS CVEs fixed in PAN-OS
PAN-SA-2024-0012 Informational Bulletin: OSS CVEs fixed in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS. While it was not determined that these CVEs have any significant impact on PAN-OS, they have been fixed out of an abundance of caution. CVE Summary CVE-2019-17006 This CVE is fixed in PAN-OS 10.2.0, and all later versions of PAN-OS. CVE-2021-3518 This CVE is fixed in PAN-OS 10.2.0, and all later versions of PAN-OS. CVE-2021-25219 This CVE is fixed in PAN-OS 10.2.3, and all later versions of PAN-OS. CVE-2021-27645 This CVE is fixed in PAN-OS 10.2.8, PAN-OS 11.0.2, and all later versions of PAN-OS. CVE-2021-34798 This CVE is fixed in PAN-OS 10.2.8, PAN-OS 11.0.2, and all later versions o
Ubuntu
Go vulnerabilities
vendor_ubuntu·2024-07-09·CVSS 7.5
CVE-2023-45290 [HIGH] Go vulnerabilities
Title: Go vulnerabilities
Summary: Several security issues were fixed in Go.
It was discovered that the Go net/http module did not properly handle the
requests when request\'s headers exceed MaxHeaderBytes. An attacker could
possibly use this issue to cause a panic resulting into a denial of service.
This issue only affected Go 1.21 in Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
(CVE-2023-45288)
It was discovered that the Go net/http module did not properly validate the
subdomain match or exact match of the initial domain. An attacker could
possibly use this issue to read sensitive information. This issue only
affected Go 1.21 in Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2023-45289)
It was discovered that the Go net/http module did not properly validate the
total size of the parsed form w
Microsoft
Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses in net/netip
vendor_msrc·2024-06-11·CVSS 9.8
CVE-2024-24790 [CRITICAL] Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses in net/netip
Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses in net/netip
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
Go: Go
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Refere
Red Hat
golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses
vendor_redhat·2024-06-04·CVSS 9.8
CVE-2024-24790 [CRITICAL] CWE-115 golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses
golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses
The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.
A flaw was found in the Go language standard library net/netip. The method Is*() (IsPrivate(), IsPublic(), etc) doesn't behave properly when working with IPv6 mapped to IPv4 addresses. The unexpected behavior can lead to integrity and confidentiality issues, specifically when these methods are used to control access to resources or data.
Statement: This CVE has been marked as moderate as for our products a network-based attack vector is simply impossible when it comes to golang code,apart from that as per CVE
Debian
CVE-2024-24790: golang-1.15 - The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for...
vendor_debian·2024·CVSS 9.8
CVE-2024-24790 [CRITICAL] CVE-2024-24790: golang-1.15 - The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for...
The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.
Scope: local
bullseye: open
No detection rules found.
No public exploits indexed.
http://www.openwall.com/lists/oss-security/2024/06/04/1https://go.dev/cl/590316https://go.dev/issue/67680https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJhttps://pkg.go.dev/vuln/GO-2024-2887http://www.openwall.com/lists/oss-security/2024/06/04/1https://go.dev/cl/590316https://go.dev/issue/67680https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJhttps://pkg.go.dev/vuln/GO-2024-2887https://security.netapp.com/advisory/ntap-20240905-0002/
2024-06-05
Published