Cloudflare's handling of a bug in interpreting IPv4-mapped IPv6 addresses

In November 2022, a critical vulnerability was reported to Cloudflare's bug bounty program. The issue involved using DNS records based on IPv4-mapped IPv6 addresses to bypass network policies and access ports on loopback addresses of servers. Upon receiving the report, Cloudflare's Security Incident Response Team (SIRT) quickly deployed a hotpatch within three hours to prevent exploitation. An investigation revealed that the vulnerability was caused by two bugs in their internal DNS and HTTP systems. To remediate the issue, a fix was implemented in the proxy service to validate IP addresses correctly. No evidence of previous exploitation was found, and regular security reviews and audits continue to enhance Cloudflare's services.