From 0934c87a456e6a4334a64dd997d8fa2d21065bd2 Mon Sep 17 00:00:00 2001
From: orbisai0security <mediratta01.pally@gmail.com>
Date: Wed, 13 May 2026 08:26:42 +0000
Subject: [PATCH] Address review feedback (1 comments)

---
 api_server/routes/internal/internal_routes.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/api_server/routes/internal/internal_routes.py b/api_server/routes/internal/internal_routes.py
index 7f7a840de..8c71e3625 100644
--- a/api_server/routes/internal/internal_routes.py
+++ b/api_server/routes/internal/internal_routes.py
@@ -84,7 +84,12 @@ class InternalRoutes:
         if remote is None:
             raise web.HTTPForbidden(reason="Internal endpoints are only accessible from localhost")
         try:
-            if not ipaddress.ip_address(remote).is_loopback:
+            addr = ipaddress.ip_address(remote)
+            # Unwrap IPv4-mapped IPv6 addresses (e.g. ::ffff:127.0.0.1) so that
+            # is_loopback correctly evaluates the underlying IPv4 address.
+            if isinstance(addr, ipaddress.IPv6Address) and addr.ipv4_mapped is not None:
+                addr = addr.ipv4_mapped
+            if not addr.is_loopback:
                 raise web.HTTPForbidden(reason="Internal endpoints are only accessible from localhost")
         except ValueError:
             raise web.HTTPForbidden(reason="Internal endpoints are only accessible from localhost")