CVE-2026-47684: 
JavaScript 취약성 분석 및 완화

CVE-2026-47684 is a Server-Side Request Forgery (SSRF) protection bypass vulnerability in the Sync-in Server's URL download feature, caused by an incomplete private IP blocklist regex that fails to match IPv4-mapped IPv6 addresses (e.g., ::ffff:127.0.0.1). It affects all versions of the @sync-in/server npm package and Docker image up to and including v2.2.1, and was first published on May 22, 2026, with the advisory formally added to the GitHub Advisory Database on June 5, 2026. The vulnerability carries a CVSS v3.1 base score of 7.7 (High) (GitHub Advisory, Sync-in Advisory).

The root cause (CWE-918: Server-Side Request Forgery) lies in the regExpPrivateIP regex defined in backend/src/applications/files/utils/url-file.ts, which correctly blocks standard IPv4 private ranges (e.g., 127.0.0.1, 10.x.x.x) but omits their IPv4-mapped IPv6 equivalents (e.g., ::ffff:127.0.0.1, ::ffff:10.x.x.x). The FilesManager.downloadFromUrl() function in backend/src/applications/files/services/files-manager.service.ts checks request.socket.remoteAddress against this regex; on dual-stack Node.js systems, the socket address is reported in IPv4-mapped IPv6 form, causing the blocklist check to be bypassed entirely. Exploitation requires only low privileges (any user with access to the file download feature) and no user interaction, making it straightforward to trigger over the network. A proof-of-concept has been published by the reporter (GitHub Advisory, Sync-in Advisory).

Successful exploitation allows an authenticated attacker to cause the Sync-in server to fetch arbitrary internal resources — such as services on 127.0.0.1 or RFC-1918 addresses — that should be inaccessible from external networks. The primary impact is a high confidentiality loss, as internal APIs, metadata services (e.g., cloud instance metadata endpoints), or other sensitive internal HTTP services can be read by the attacker. There is no direct integrity or availability impact, but the ability to probe and exfiltrate data from internal infrastructure could facilitate further lateral movement or privilege escalation (GitHub Advisory, Sync-in Advisory).

1. Authenticate: Obtain valid credentials for any user account on the target Sync-in Server instance (v2.2.1 or earlier) that has access to the file download feature.
2. Identify the download endpoint: Locate the URL download functionality in the Sync-in web interface or API, which maps to FilesManager.downloadFromUrl() in the backend.
3. Craft a malicious URL: Construct a URL targeting an internal resource using an IPv4-mapped IPv6 address format, e.g., http://[::ffff:127.0.0.1]/internal-api or http://[::ffff:169.254.169.254]/latest/meta-data/ (for cloud metadata).
4. Submit the request: Supply the crafted URL to the file download feature. The server's regExpPrivateIP regex check against request.socket.remoteAddress will fail to match the ::ffff: prefixed address on a dual-stack system, bypassing the SSRF protection.
5. Retrieve internal data: The server fetches the internal resource and returns its contents to the attacker, potentially exposing sensitive internal service data, credentials, or cloud metadata (GitHub Advisory, Sync-in Advisory).

• Network: Outbound HTTP requests from the Sync-in server process to internal IP ranges in IPv4-mapped IPv6 form (e.g., ::ffff:127.0.0.1, ::ffff:10.x.x.x, ::ffff:169.254.169.254); unexpected connections to cloud metadata endpoints (e.g., 169.254.169.254) originating from the server.
• Logs: Application logs showing downloadFromUrl() calls with URLs resolving to internal/private addresses; Node.js HTTP client requests to loopback or RFC-1918 addresses in server-side access logs.
• Process: Unusual outbound HTTP activity from the Node.js server process to internal network segments not normally accessed by the application.

Upgrade to @sync-in/server v2.3.0 (npm) or the equivalent Docker image sync-in/server:2.3.0, which hardens SSRF protection to include IPv4-mapped IPv6 address blocking, DNS rebinding protections, unsafe redirect handling, proxy bypass mitigations, and oversized data stream limits (Sync-in v2.3.0 Release). If immediate upgrade is not possible, consider restricting access to the file download feature to trusted users only, and deploying network-level egress filtering on the server to block outbound connections to internal/private IP ranges as a defense-in-depth measure. No official configuration-only workaround has been published by the vendor.

The vulnerability was reported by security researcher x0root and remediated by the Sync-in maintainer johaven in the v2.3.0 release. A Reddit post in the r/selfhosted community noted the v2.3.0 release (including the security fix), indicating awareness among self-hosted software users (Reddit). No broader media coverage or notable security community commentary beyond the advisory itself has been identified.