Skip to content

Releases: cboxdk/laravel-ssrf

Release list

v1.0.1

Choose a tag to compare

@sylvesterdamgaard sylvesterdamgaard released this 12 Jul 20:34

Support Laravel 12 and 13. v1.0.0 was pinned to illuminate/* ^12.0, which prevented installation on Laravel 13 apps. Constraints widened (illuminate ^12||^13, symfony/http-foundation ^7||^8, testbench ^10||^11, pest ^3.5||^4.0); CI now matrixes over both Laravel majors. No behavior change.

v1.0.0

Choose a tag to compare

@sylvesterdamgaard sylvesterdamgaard released this 12 Jul 19:07

Initial release of cboxdk/laravel-ssrf — a hardened, config-driven SSRF guard for outbound URLs in Laravel.

Highlights:

  • Resolves both A and AAAA; blocks every private/reserved/cloud-metadata address.
  • DNS-rebinding defence: resolve once, pin via CURLOPT_RESOLVE (TLS-safe), verify the connected IP, disable redirects.
  • IPv6 transition forms (6to4, NAT64, Teredo, IPv4-mapped) blocked wholesale and embedded IPv4 re-checked (CVE-2026-48736 class).
  • Http::ssrf() macro, PublicUrl validation rule, browser-redirect mode, FakeResolver test seam.
  • Honest scope: network egress control is the complete fix.

CI is green (Pint, PHPStan max, 25 tests against real vectors, composer audit, license check, CycloneDX SBOM, TruffleHog secret scan, Semgrep SAST).