Security Flaw: IPv6 SSRF Bypass in Notification Webhook Validation Exposes Internal Networks

A critical security vulnerability in a notification handler's webhook URL validation allows attackers to bypass internal network protections using IPv6 addresses. The flaw, marked as high severity, resides in the `notifications:save-webhook` IPC handler within the codebase. The validation logic incorrectly compares the hostname `'::1'` against the value `'[::1]'` returned by Node.js's `URL` constructor, failing to block IPv6 loopback addresses. This oversight creates a direct server-side request forgery (SSRF) bypass, enabling malicious webhooks to target the application's own internal services.

The vulnerability is a duplicate of a previously identified issue in the `NotificationManager.isWebhookUrlSafe()` method, indicating a systemic pattern failure. The validation's private IP regex is also fundamentally incomplete, checking only legacy IPv4 ranges (like `10.`, `192.168.`). It entirely fails to block IPv6 unique-local addresses (`fd00::`, `fc00::`) and link-local addresses (`fe80::`), leaving a wide-open channel for internal network probing and potential lateral movement within a compromised environment.

This flaw exposes any application relying on this handler to SSRF attacks, where an attacker could force the server to make requests to internal, non-routable systems. The risk is amplified in cloud or containerized deployments where metadata services and internal APIs are accessible. The duplicate nature of the bug signals a lack of comprehensive security review for network boundary checks across the codebase, requiring immediate patching and a broader audit of all URL validation logic.