// wall of bugs caught

10 critical bugs
PullLight would have caught in your PRs.

Every card below is a real bug flagged during PR review — CVEs, CWEs, before/after code. No competitors have a page like this. Try it on your own PR →

13
Total catches
10
Critical
3
High
10
CVSS ≥ 9
5
Languages
Severity:
All Critical High Medium
| Language:
All JavaScript TypeScript Python Java PHP Rust Go
Sort by: Highest CVSS Newest Oldest
high # ssrf JavaScript CVE-2024-29415
SSRF via IPv4/IPv6 Canonicalization Bypass
The ip package's isPrivate() check normalizes IPv4-mapped IPv6 addresses incorrectly — attackers pass addresses that appear public but resolve to RFC-1918 space, bypassing SSRF guards.
Before / after code snippet
Before (vulnerable)
// BEFORE (vulnerable)
if (ip.isPrivate(userSuppliedIp)) {
  return res.status(403).send('Blocked');
}
fetch(`http://${userSuppliedIp}/internal-api`);
After (fixed)
// AFTER (fixed)
// Normalize IPv4-mapped IPv6 before the private check.
const normalized = normalizeIp(userSuppliedIp);
if (ip.isPrivate(normalized)) return res.status(403).send('Blocked');
fetch(`http://${normalized}/internal-api`);
CVSS 8.1 CWE-918 Apr 2024 View walkthrough →
Browse full case studies with diffs & analysis →
Install in 60 seconds — free for OSS. Watch PullLight flag bugs like these in your PRs.
Install on GitHub →