@asymmetric-effort/specifyjs: Localhost bypass incomplete (IPv6, 0.0.0.0, 127.x range)
Moderate severity
GitHub Reviewed
Published
May 29, 2026
in
asymmetric-effort/specifyjs
•
Updated Jul 2, 2026
Description
Published to the GitHub Advisory Database
Jul 2, 2026
Reviewed
Jul 2, 2026
Last updated
Jul 2, 2026
Finding
Location:
core/src/shared/secure-fetch.ts:52-54The localhost exception allowed
localhostand127.0.0.1but did not cover0.0.0.0,[::1](IPv6 localhost), or the full127.0.0.0/8loopback range.Status
Fixed in v0.2.136 — Localhost detection now covers
localhost,127.0.0.1,[::1],0.0.0.0, and the full127.x.x.xrange.References