From 6dc0001f9d08ab35971815d23e0ee5b8b4ced001 Mon Sep 17 00:00:00 2001
From: Chris <christian@haschek.at>
Date: Tue, 21 Apr 2026 12:35:31 +0200
Subject: [PATCH] fix: block 0.0.0.0/8 in isPrivateIP to prevent loopback
 bypass

---
 src/helpers.php        | 1 +
 tests/test_helpers.php | 1 +
 2 files changed, 2 insertions(+)

diff --git a/src/helpers.php b/src/helpers.php
index 8289eec..8a7d319 100755
--- a/src/helpers.php
+++ b/src/helpers.php
@@ -37,6 +37,7 @@ function isPrivateIP(string $ip): bool
     if ($long === false) return true;
 
     foreach ([
+        [ip2long('0.0.0.0'),     0xFF000000], // 0.0.0.0/8    unspecified (routes to loopback on Linux)
         [ip2long('127.0.0.0'),   0xFF000000], // 127.0.0.0/8  loopback
         [ip2long('10.0.0.0'),    0xFF000000], // 10.0.0.0/8   RFC1918
         [ip2long('172.16.0.0'),  0xFFF00000], // 172.16.0.0/12 RFC1918
diff --git a/tests/test_helpers.php b/tests/test_helpers.php
index 3f35b50..3c0e68b 100644
--- a/tests/test_helpers.php
+++ b/tests/test_helpers.php
@@ -26,6 +26,7 @@ check(isPrivateIP('169.254.169.254'),   'AWS metadata IP');
 check(!isPrivateIP('8.8.8.8'),          'Google DNS is public');
 check(!isPrivateIP('93.184.216.34'),    'example.com IP is public');
 check(isPrivateIP('not-an-ip'),         'unparseable IP blocked');
+check(isPrivateIP('0.0.0.0'),           '0.0.0.0 blocked (routes to loopback)');
 
 // --- getUserIP ---
 unset($_SERVER['HTTP_CLIENT_IP']);