GHSA-xw57-23p8-9wc5MediumDisclosed before NVD

@asymmetric-effort/specifyjs: Localhost bypass incomplete (IPv6, 0.0.0.0, 127.x range)

Published
July 2, 2026
Last Modified
July 2, 2026

📋 Description

Finding

Location: core/src/shared/secure-fetch.ts:52-54

The localhost exception allowed localhost and 127.0.0.1 but did not cover 0.0.0.0, [::1] (IPv6 localhost), or the full 127.0.0.0/8 loopback range.

Status

Fixed in v0.2.136 — Localhost detection now covers localhost, 127.0.0.1, [::1], 0.0.0.0, and the full 127.x.x.x range.

🎯 Affected products1

  • npm/@asymmetric-effort/specifyjs:< 0.2.136

🔗 References (4)