SSRF via IPv6 address 2 in jgraph/drawio


Reported on

May 15th 2022


While searching online, I found that also states fc00 / fd00 are also private IPv6 range that are weirdly not covered by INetAddress, meaning that it has to be done manually.

As I unfortunately did not catch this one in my previous report, I am dropping the bounty (setting CVSS to 0, and likewise the payout to 0) for this one.



We are processing your report and will contact the jgraph/drawio team within 24 hours. a year ago
a year ago


Am dropping the bounty for this one as I wasn't able to catch these particular IPv6 ranges in the previous report

David Benson
a year ago


Thanks, appreciate that. Fix is

David Benson validated this vulnerability a year ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
David Benson marked this as fixed in 18.0.6 with commit 7a68eb a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation