<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Flyto-Core - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/flyto-core/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 06 Jul 2026 17:36:55 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/flyto-core/feed.xml" rel="self" type="application/rss+xml"/><item><title>flyto-core SSRF Bypass via IPv6 Transition Addresses (CWE-918)</title><link>https://feed.craftedsignal.io/briefs/2026-07-flyto-core-ssrf-bypass/</link><pubDate>Mon, 06 Jul 2026 17:36:55 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-flyto-core-ssrf-bypass/</guid><description>An authenticated workflow author can bypass `flyto-core`'s Server-Side Request Forgery (SSRF) protection by crafting URLs with IPv6 transition addresses that embed private IPv4s, allowing for data exfiltration from internal services like cloud instance metadata.</description><content:encoded><![CDATA[<p>The <code>flyto-core</code> application, developed by flytohub, contains a critical Server-Side Request Forgery (SSRF) vulnerability, identified as CWE-918, in its <code>validate_url_ssrf</code> function, specifically within the <code>is_private_ip</code> helper in <code>src/core/utils.py</code>. This vulnerability, published on 2026-07-06, allows an authenticated workflow author to bypass the intended SSRF protection by utilizing IPv6 transition addresses. The application's guard, designed to block access to private and cloud metadata services, fails to correctly identify private IP addresses embedded within IPv4-mapped, 6to4, or NAT64 IPv6 formats. This oversight enables attackers to craft URLs using these unblocked IPv6 forms to access internal resources like cloud instance metadata services (e.g., <code>169.254.169.254</code>) or internal loopback services. The response body from these internal services is then returned to the attacker, resulting in a read SSRF that can lead to the exfiltration of sensitive information, such as IAM credentials. This bypass directly undermines the project's documented security controls.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>A workflow author, possessing valid authentication credentials for <code>flyto-core</code>'s Execution API (<code>POST /v1/execute</code>), prepares to execute a module.</li>
<li>The attacker crafts a malicious URL containing an IPv6 transition-form host, such as <code>http://[::ffff:127.0.0.1]:8080/</code> for loopback access or <code>http://[64:ff9b::a9fe:a9fe]/latest/meta-data/</code> for cloud instance metadata.</li>
<li>The attacker sends a <code>POST</code> request to <code>http://127.0.0.1:8333/v1/execute</code> with a JSON payload including <code>{&quot;module_id&quot;:&quot;http.get&quot;, &quot;params&quot;:{&quot;url&quot;:&quot;[malicious_url]&quot;}}</code>.</li>
<li>The <code>flyto-core</code> application invokes <code>validate_url_ssrf</code>, which calls <code>is_private_ip()</code> on the IPv6 transition address. Due to the vulnerability, <code>is_private_ip()</code> incorrectly returns <code>False</code>.</li>
<li>The <code>http.get</code> atomic module proceeds to initiate an outbound HTTP GET request using <code>aiohttp</code> to the internal destination specified by the crafted URL.</li>
<li>The internal service (e.g., cloud metadata service or a local web server) processes the request and returns its sensitive response body.</li>
<li><code>flyto-core</code> receives the internal service's response and, as part of the <code>http.get</code> module's functionality, returns the full response body to the attacker in the <code>/v1/execute</code> API response.</li>
<li>The attacker successfully exfiltrates sensitive data, such as IAM credentials or internal service information, via a read Server-Side Request Forgery.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The vulnerability allows an authenticated workflow author to bypass <code>flyto-core</code>'s security controls and perform read Server-Side Request Forgery (SSRF). This directly enables data exfiltration from internal services that are typically isolated from external access. Specifically, attackers can access cloud instance metadata services (e.g., <code>169.254.169.254</code>) to steal highly sensitive IAM credentials and instance identity information. Additionally, the bypass permits access to internal loopback and RFC 1918 services, potentially exposing other sensitive internal applications or data. The success of this attack directly undermines the intended security model of <code>flyto-core</code>, which explicitly documents these checks as critical security controls. While the source does not provide victim numbers, any organization using <code>flyto-core</code> is susceptible, especially those deployed in cloud environments.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately apply the patch provided by flytohub, which modifies <code>src/core/utils.py</code> to correctly identify and block private IP addresses embedded within IPv6 transition forms, as demonstrated in the &quot;Suggested fix&quot; section of this brief.</li>
<li>Review all <code>flyto-core</code> deployments, especially those in cloud environments, to ensure proper network segmentation and defense-in-depth measures limit the impact of potential SSRF vulnerabilities.</li>
<li>Monitor network egress logs for connections originating from <code>flyto-core</code> instances to unusual or internal-only IPv6 addresses, particularly those resembling the IPv4-mapped <code>::ffff:169.254.169.254</code>, NAT64 <code>64:ff9b::/96</code>, or 6to4 <code>2002::/16</code> prefixes.</li>
<li>Ensure that cloud metadata services and other sensitive internal endpoints are configured with least privilege access and minimal exposed information, assuming they might eventually be accessed by an SSRF attack.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>ssrf</category><category>vulnerability</category><category>python</category><category>defense-evasion</category></item></channel></rss>