You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Fixed an unauthenticated SSRF relay (GHSA-vpc2-r395-534p) where the /api/links/preview endpoint accepted requests without a valid session, allowing anyone to use the server as an anonymous outbound HTTP relay. The endpoint now requires authentication. Additionally, closed a gap in the SSRF blocklist where 0.0.0.0 (and IPv6 :: / ::0) was not blocked — on Linux these addresses route to the loopback interface at the kernel level. Reported by @de3erve.