From 84593bb97aed7597654fcf41b9ee19f554293026 Mon Sep 17 00:00:00 2001
From: Garry Tan <garrytan@gmail.com>
Date: Mon, 13 Apr 2026 09:42:16 -0700
Subject: [PATCH] fix(security): block hex-encoded IPv4-mapped IPv6 metadata
 bypass

URL constructor normalizes ::ffff:169.254.169.254 to ::ffff:a9fe:a9fe
(hex form), which was not in the blocklist. Similarly, ::169.254.169.254
normalizes to ::a9fe:a9fe.

Add both hex-encoded forms to BLOCKED_METADATA_HOSTS so they're caught
by the direct hostname check in validateNavigationUrl.

Closes #739

Co-Authored-By: Osman Mehmood <mehmoodosman@users.noreply.github.com>
---
 browse/src/url-validation.ts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/browse/src/url-validation.ts b/browse/src/url-validation.ts
index 5d37cf0d..ddac0d5a 100644
--- a/browse/src/url-validation.ts
+++ b/browse/src/url-validation.ts
@@ -7,6 +7,8 @@ export const BLOCKED_METADATA_HOSTS = new Set([
   '169.254.169.254',  // AWS/GCP/Azure instance metadata
   'fe80::1',          // IPv6 link-local — common metadata endpoint alias
   '::ffff:169.254.169.254', // IPv4-mapped IPv6 form of the metadata IP
+  '::ffff:a9fe:a9fe', // Hex-encoded IPv4-mapped form (URL constructor normalizes to this)
+  '::a9fe:a9fe',      // Deprecated IPv4-compatible hex form
   'metadata.google.internal', // GCP metadata
   'metadata.azure.internal',  // Azure IMDS
 ]);