PSA-2026-04-M1S0CVE-2026-423462026-04-286.5 Medium
TOCTOU DNS rebinding bypasses all SSRF URL validation paths
TOCTOU DNS rebinding bypasses all SSRF URL validation paths
All SSRF protections added in v2.21.4–v2.21.6 share a fundamental TOCTOU (Time-of-Check-Time-of-Use) vulnerability: isSafePublicHttpsUrl() resolves DNS to validate the target IP, but subsequent fetch() calls resolve DNS independently. An attacker controlling a DNS server can exploit this gap via DNS rebinding to redirect requests to internal network addresses.