Jul. 6, 2025

java.net.URL.equals() — A Hidden Vulnerability in Whitelist Checks

TL;DR

java.net.URL.equals() performs a DNS lookup and considers two URLs equal if their IP addresses match — even when the domains are completely different. This can bypass whitelist checks and lead to SSRF or DNS rebinding attacks.

Ssrf

java.net.URL.equals() — A Hidden Vulnerability in Whitelist Checks

TL;DR