Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreidfcjacdotgvklgqanpwk7xezsxxtttv5pik4asujbjepbfhzv7y4",
    "uri": "at://did:plc:gqcpffaretmzlcouvbo7wrwf/app.bsky.feed.post/3mgfmpnihbzz2"
  },
  "description": "We are publishing a notice today to bring to attention an unintentional breaking change that could affect some users of NodeBB.\n\nv4.5.0 contained an update to `src/request.js` that calls a DNS resolver to ensure that the destination address is not a reserved IP address (e.g. `192.168...`, `127.0..`)\n\nThis change was introduced in order to close off any potential for Server-Side Request Forgery for any calls made within the NodeBB codebase. [...]",
  "path": "/post/106777",
  "publishedAt": "2026-03-06T15:25:35.089Z",
  "site": "https://community.nodebb.org",
  "tags": [
    "nodebb",
    "Server-Side Request Forgery"
  ],
  "textContent": "We are publishing a notice today to bring to attention an unintentional breaking change that could affect some users of NodeBB.\n\nv4.5.0 contained an update to `src/request.js` that calls a DNS resolver to ensure that the destination address is not a reserved IP address (e.g. `192.168...`, `127.0..`)\n\nThis change was introduced in order to close off any potential for Server-Side Request Forgery for any calls made within the NodeBB codebase. [...]\n\nIn the vast majority of installations, this has no unintended effects. In some installations, custom plugins or themes may call URLs that resolve to an internal address _on purpose_ (e.g. to query an internal database or similar.) In those situations, the call will now fail as of v4.5.0.\n\nIn those situations, you will need to update the plugin to add the domain to the allow list by calling the `filter:request.init` hook:\n\n**plugin.json**\n\n\n    {\n      ...\n      \"hooks\": [\n        ...\n        { \"hook\": \"filter:request.init\", \"method\": \"allowInternalHostname\" },\n        ...\n      ]\n      ...\n    }\n\n\n**library.js or similar**\n\n\n    const plugin = module.exports;\n\n    plugin.allowInternalHostname = async ({ allowed }) => {\n      allowed.add('example.org');\n      return { allowed };\n    });\n",
  "title": "Notice: Breaking change in v4.5.0 (requests to internal IP addresses disallowed)",
  "updatedAt": "2026-03-06T15:27:35.046Z"
}