search

aerogo / aero

:bullettrain_side: High-performance web server for Go (2016). New alpha (2024) with even better performance is currently in development at https://git.akyoto.dev/go/web
MIT License
572 stars 33 forks source link

IsPrivate Function Bypass #25

Open aydinnyunus opened 6 months ago

aydinnyunus commented 6 months ago

Hi Team,

I found possible IsPrivate function bypass on aero framework on https://github.com/aerogo/aero/blob/f70e4d9aa6b9c894ff24fe6ec560f762986d37e4/IP.go#L17

PoC:

https://go.dev/play/p/r41I__AxFUN

If you give 0.0.0.0 which can be point to localhost, it can be bypassed