@better-auth/core 1.7.0-beta.6 → 1.7.0-beta.7

package/dist/social-providers/paypal.d.mts

@@ -64,6 +64,7 @@ declare const paypal: (options: PayPalOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
   }): Promise<{
     url: URL;
@@ -89,6 +90,7 @@ declare const paypal: (options: PayPalOptions) => {
     accessTokenExpiresAt: Date | undefined;
   }>);
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/polar.d.mts

@@ -39,6 +39,7 @@ declare const polar: (options: PolarOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
   }): Promise<{
     url: URL;
@@ -56,6 +57,7 @@ declare const polar: (options: PolarOptions) => {
   }) => Promise<OAuth2Tokens>;
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/railway.d.mts

@@ -30,6 +30,7 @@ declare const railway: (options: RailwayOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
   }): Promise<{
     url: URL;
@@ -47,6 +48,7 @@ declare const railway: (options: RailwayOptions) => {
   }) => Promise<OAuth2Tokens>;
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/reddit.d.mts

@@ -28,6 +28,7 @@ declare const reddit: (options: RedditOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
   }): Promise<{
     url: URL;
@@ -44,6 +45,7 @@ declare const reddit: (options: RedditOptions) => {
   }) => Promise<OAuth2Tokens>;
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/roblox.d.mts

@@ -36,6 +36,7 @@ declare const roblox: (options: RobloxOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
   }): Promise<{
     url: URL;
@@ -52,6 +53,7 @@ declare const roblox: (options: RobloxOptions) => {
   }) => Promise<OAuth2Tokens>;
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/salesforce.d.mts

@@ -44,6 +44,7 @@ declare const salesforce: (options: SalesforceOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
   }): Promise<{
     url: URL;
@@ -61,6 +62,7 @@ declare const salesforce: (options: SalesforceOptions) => {
   }) => Promise<OAuth2Tokens>;
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/slack.d.mts

@@ -49,6 +49,7 @@ declare const slack: (options: SlackOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
   }): Promise<{
     url: URL;
@@ -65,6 +66,7 @@ declare const slack: (options: SlackOptions) => {
   }) => Promise<OAuth2Tokens>;
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/spotify.d.mts

@@ -28,6 +28,7 @@ declare const spotify: (options: SpotifyOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
   }): Promise<{
     url: URL;
@@ -45,6 +46,7 @@ declare const spotify: (options: SpotifyOptions) => {
   }) => Promise<OAuth2Tokens>;
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/tiktok.d.mts

@@ -134,6 +134,7 @@ declare const tiktok: (options: TiktokOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
   }): {
     url: URL;
@@ -150,6 +151,7 @@ declare const tiktok: (options: TiktokOptions) => {
   }) => Promise<OAuth2Tokens>;
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/twitch.d.mts

@@ -45,6 +45,7 @@ declare const twitch: (options: TwitchOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
   }): Promise<{
     url: URL;
@@ -61,6 +62,7 @@ declare const twitch: (options: TwitchOptions) => {
   }) => Promise<OAuth2Tokens>;
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/twitter.d.mts

@@ -90,6 +90,7 @@ declare const twitter: (options: TwitterOption) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
   }): Promise<{
     url: URL;
@@ -107,6 +108,7 @@ declare const twitter: (options: TwitterOption) => {
   }) => Promise<OAuth2Tokens>;
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/vercel.d.mts

@@ -28,6 +28,7 @@ declare const vercel: (options: VercelOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
   }): Promise<{
     url: URL;
@@ -44,6 +45,7 @@ declare const vercel: (options: VercelOptions) => {
     deviceId?: string | undefined;
   }) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/vk.d.mts

@@ -34,6 +34,7 @@ declare const vk: (options: VkOption) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
   }): Promise<{
     url: URL;
@@ -52,6 +53,7 @@ declare const vk: (options: VkOption) => {
   }) => Promise<OAuth2Tokens>;
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(data: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/wechat.d.mts

@@ -66,6 +66,7 @@ declare const wechat: (options: WeChatOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
   }): {
     url: URL;
@@ -95,6 +96,7 @@ declare const wechat: (options: WeChatOptions) => {
     scopes: string[];
   }>);
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/zoom.d.mts

@@ -130,6 +130,7 @@ declare const zoom: (userOptions: ZoomOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
   }) => Promise<{
     url: URL;
@@ -147,6 +148,7 @@ declare const zoom: (userOptions: ZoomOptions) => {
   }) => Promise<OAuth2Tokens>;
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/utils/host.d.mts

@@ -26,7 +26,7 @@
  * The semantic kind of a host, derived from RFC 6890 special-purpose registries
  * plus a few domain-name categories (localhost, cloud metadata FQDNs).
  */
-type HostKind = /** IPv4 `127.0.0.0/8` or IPv6 `::1`. */"loopback" /** DNS name `localhost` or RFC 6761 `.localhost` TLD. */ | "localhost" /** IPv4 `0.0.0.0` or IPv6 `::` — "this host on this network", not loopback. */ | "unspecified" /** RFC 1918 `10/8`, `172.16/12`, `192.168/16`, or IPv6 ULA `fc00::/7`. */ | "private" /** IPv4 `169.254/16` or IPv6 `fe80::/10`. Includes AWS IMDS `169.254.169.254`. */ | "linkLocal" /** RFC 6598 carrier-grade NAT `100.64.0.0/10`. */ | "sharedAddressSpace" /** RFC 5737 `192.0.2/24`, `198.51.100/24`, `203.0.113/24`, or RFC 3849 `2001:db8::/32`. */ | "documentation" /** RFC 2544 `198.18.0.0/15`. */ | "benchmarking" /** IPv4 `224.0.0.0/4` or IPv6 `ff00::/8`. */ | "multicast" /** IPv4 limited broadcast `255.255.255.255`. */ | "broadcast" /** Other RFC 6890 special-purpose ranges (0/8, 192.0.0/24, 240/4, 2001::/32, etc.). */ | "reserved" /** Cloud metadata service FQDN (e.g. `metadata.google.internal`). */ | "cloudMetadata" /** Any host not matching a special-purpose range above. */ | "public";
+type HostKind = /** IPv4 `127.0.0.0/8` or IPv6 `::1`. */"loopback" /** DNS name `localhost` or RFC 6761 `.localhost` TLD. */ | "localhost" /** IPv4 `0.0.0.0` or IPv6 `::` — "this host on this network", not loopback. */ | "unspecified" /** RFC 1918 `10/8`, `172.16/12`, `192.168/16`, or IPv6 ULA `fc00::/7`. */ | "private" /** IPv4 `169.254/16` or IPv6 `fe80::/10`. Includes AWS IMDS `169.254.169.254`. */ | "linkLocal" /** RFC 6598 carrier-grade NAT `100.64.0.0/10`. */ | "sharedAddressSpace" /** RFC 5737 `192.0.2/24`, `198.51.100/24`, `203.0.113/24`, or RFC 3849 `2001:db8::/32`. */ | "documentation" /** RFC 2544 `198.18.0.0/15`. */ | "benchmarking" /** IPv4 `224.0.0.0/4` or IPv6 `ff00::/8`. */ | "multicast" /** IPv4 limited broadcast `255.255.255.255`. */ | "broadcast" /** Other RFC 6890 special-purpose ranges (0.0.0.0/8, 192.0.0.0/24, 192.88.99.0/24, 240.0.0.0/4, 2001::/32, etc.). */ | "reserved" /** Cloud metadata service FQDN (e.g. `metadata.google.internal`). */ | "cloudMetadata" /** Any host not matching a special-purpose range above. */ | "public";
 /**
  * The syntactic form of the input host: an IPv4 literal, an IPv6 literal, or
  * a domain name. IPv4-mapped IPv6 (`::ffff:192.0.2.1`) is reported as `ipv4`

package/dist/utils/host.mjs

@@ -86,6 +86,7 @@ function classifyIPv4(ip) {
 	if (inIPv4Range(n, ipv4ToUint32("224.0.0.0"), 4)) return "multicast";
 	if (inIPv4Range(n, ipv4ToUint32("0.0.0.0"), 8)) return "reserved";
 	if (inIPv4Range(n, ipv4ToUint32("192.0.0.0"), 24)) return "reserved";
+	if (inIPv4Range(n, ipv4ToUint32("192.88.99.0"), 24)) return "reserved";
 	if (inIPv4Range(n, ipv4ToUint32("240.0.0.0"), 4)) return "reserved";
 	return "public";
 }
@@ -124,6 +125,7 @@ function classifyIPv6(expanded) {
 	const secondByte = Number.parseInt(expanded.slice(2, 4), 16);
 	if (firstByte === 255) return "multicast";
 	if (firstByte === 254 && (secondByte & 192) === 128) return "linkLocal";
+	if (firstByte === 254 && (secondByte & 192) === 192) return "reserved";
 	if ((firstByte & 254) === 252) return "private";
 	if (expanded.startsWith("2001:0db8:")) return "documentation";
 	if (expanded.startsWith("2001:0002:0000:")) return "benchmarking";
@@ -146,6 +148,7 @@ function classifyIPv6(expanded) {
 	if (expanded.startsWith("0100:0000:0000:0000:")) return "reserved";
 	if (expanded.startsWith("3fff:0")) return "documentation";
 	if (expanded.startsWith("5f00:")) return "reserved";
+	if (expanded.startsWith("0000:0000:0000:0000:0000:0000:")) return "reserved";
 	return "public";
 }
 /**

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/core",
-  "version": "1.7.0-beta.6",
+  "version": "1.7.0-beta.7",
   "description": "The most comprehensive authentication framework for TypeScript.",
   "type": "module",
   "license": "MIT",

package/src/oauth2/create-authorization-url.ts

@@ -15,6 +15,7 @@ export const RESERVED_AUTHORIZATION_PARAMS = [
 	"response_type",
 	"code_challenge",
 	"code_challenge_method",
+	"nonce",
 	"scope",
 ] as const;
 
@@ -37,6 +38,7 @@ export async function createAuthorizationURL({
 	responseType,
 	display,
 	loginHint,
+	nonce,
 	hd,
 	responseMode,
 	additionalParams,
@@ -56,6 +58,7 @@ export async function createAuthorizationURL({
 	responseType?: string | undefined;
 	display?: string | undefined;
 	loginHint?: string | undefined;
+	nonce?: string | undefined;
 	hd?: string | undefined;
 	responseMode?: string | undefined;
 	additionalParams?: Record<string, string> | undefined;
@@ -77,6 +80,7 @@ export async function createAuthorizationURL({
 	duration && url.searchParams.set("duration", duration);
 	display && url.searchParams.set("display", display);
 	loginHint && url.searchParams.set("login_hint", loginHint);
+	nonce && url.searchParams.set("nonce", nonce);
 	prompt && url.searchParams.set("prompt", prompt);
 	hd && url.searchParams.set("hd", hd);
 	accessType && url.searchParams.set("access_type", accessType);

package/src/oauth2/index.ts

@@ -68,6 +68,7 @@ export type {
 	OAuth2Tokens,
 	OAuth2UserInfo,
 	OAuthIdTokenConfig,
+	OAuthRefreshContext,
 	ProviderGrantAuthority,
 	ProviderOptions,
 	UpstreamProvider,

package/src/oauth2/oauth-provider.ts

@@ -77,6 +77,18 @@ export type OAuth2UserInfo = {
 	emailVerified: boolean;
 };
 
+/**
+ * Request metadata available to provider refresh hooks.
+ *
+ * The refresh flow may be triggered by endpoints such as `getAccessToken` or
+ * `refreshToken`; this context gives provider hooks access to the triggering
+ * request without exposing the full endpoint implementation surface.
+ */
+export interface OAuthRefreshContext {
+	headers?: Headers | undefined;
+	request?: Request | undefined;
+}
+
 /**
  * The result of building a provider authorization URL.
  *
@@ -142,6 +154,12 @@ export interface UpstreamProvider<
 		redirectURI: string;
 		display?: string | undefined;
 		loginHint?: string | undefined;
+		/**
+		 * OIDC nonce generated by the redirect initiator and persisted in OAuth
+		 * state. Providers that set `requiresIdTokenNonce` must forward this to
+		 * the authorization URL as the `nonce` parameter.
+		 */
+		idTokenNonce?: string | undefined;
 		/**
 		 * Extra query parameters to append to the authorization URL.
 		 * Providers forward these to the shared `createAuthorizationURL` helper,
@@ -159,6 +177,12 @@ export interface UpstreamProvider<
 	}) => Promise<OAuth2Tokens | null>;
 	getUserInfo: (
 		token: OAuth2Tokens & {
+			/**
+			 * OIDC nonce recovered from OAuth state. Providers that required an
+			 * ID-token nonce must pass this to `verifyProviderIdToken` before
+			 * trusting ID-token claims.
+			 */
+			expectedIdTokenNonce?: string | undefined;
 			/**
 			 * The user object from the provider
 			 * This is only available for some providers like Apple
@@ -178,10 +202,17 @@ export interface UpstreamProvider<
 		data: T;
 	} | null>;
 	/**
-	 * Custom function to refresh a token
+	 * Custom function to refresh a token.
+	 *
+	 * Receives request metadata from the endpoint that triggered the refresh.
+	 * Providers that don't need request-scoped data can ignore the second
+	 * argument.
 	 */
 	refreshAccessToken?:
-		| ((refreshToken: string) => Promise<OAuth2Tokens>)
+		| ((
+				refreshToken: string,
+				ctx?: OAuthRefreshContext,
+		  ) => Promise<OAuth2Tokens>)
 		| undefined;
 	/**
 	 * Declarative id_token verification config consumed by the shared
@@ -195,6 +226,13 @@ export interface UpstreamProvider<
 	 * against this value to prevent authorization server mix-up attacks.
 	 */
 	issuer?: string | undefined;
+	/**
+	 * Require shared OAuth redirect routes to bind ID-token verification to an
+	 * authorization request nonce. When true, routes generate `idTokenNonce`,
+	 * pass it to `createAuthorizationURL`, persist it in state, and provide it
+	 * back to `getUserInfo` as `expectedIdTokenNonce`.
+	 */
+	requiresIdTokenNonce?: boolean | undefined;
 	/**
 	 * Disable implicit sign up for new users. When set to true for the provider,
 	 * sign-in need to be called with with requestSignUp as true to create new users.

package/src/oauth2/refresh-access-token.ts

@@ -29,6 +29,21 @@ interface RefreshAccessTokenInput extends RefreshAccessTokenRequestInput {
 	tokenEndpoint: string;
 }
 
+/**
+ * Body keys owned by the refresh-token flow or unsafe to copy from caller input.
+ */
+const BLOCKED_REFRESH_TOKEN_PARAMS = [
+	"grant_type",
+	"refresh_token",
+	"__proto__",
+	"constructor",
+	"prototype",
+] as const;
+
+const BLOCKED_REFRESH_TOKEN_PARAMS_SET: ReadonlySet<string> = new Set(
+	BLOCKED_REFRESH_TOKEN_PARAMS,
+);
+
 export async function refreshAccessTokenRequest({
 	refreshToken,
 	options,
@@ -59,6 +74,17 @@ export async function refreshAccessTokenRequest({
 	return request;
 }
 
+function applyRefreshExtraParams(
+	body: URLSearchParams,
+	extraParams: Record<string, string> | undefined,
+) {
+	if (!extraParams) return;
+	for (const [key, value] of Object.entries(extraParams)) {
+		if (BLOCKED_REFRESH_TOKEN_PARAMS_SET.has(key)) continue;
+		body.set(key, value);
+	}
+}
+
 function buildRefreshAccessTokenRequest({
 	refreshToken,
 	options,
@@ -83,9 +109,7 @@ function buildRefreshAccessTokenRequest({
 		}
 	}
 	if (extraParams) {
-		for (const [key, value] of Object.entries(extraParams)) {
-			body.set(key, value);
-		}
+		applyRefreshExtraParams(body, extraParams);
 	}
 
 	return {

package/src/oauth2/verify-id-token.ts

@@ -79,6 +79,8 @@ export async function verifyProviderIdToken(
 		// Opaque (non-JWS) tokens carry no signature to check. They are accepted only when the
 		// provider opts in, in which case getUserInfo resolves identity from the access token via
 		// the provider's userinfo endpoint, which validates it (e.g. Facebook Graph access tokens).
+		// An expected `nonce` is not enforced here: an opaque token carries no `nonce` claim, and the
+		// access-token-backed userinfo exchange (not the token itself) is the identity source.
 		if (token.split(".").length !== 3) {
 			return config.allowOpaqueToken === true;
 		}

package/src/utils/host.ts

@@ -49,7 +49,7 @@ export type HostKind =
 	| "multicast"
 	/** IPv4 limited broadcast `255.255.255.255`. */
 	| "broadcast"
-	/** Other RFC 6890 special-purpose ranges (0/8, 192.0.0/24, 240/4, 2001::/32, etc.). */
+	/** Other RFC 6890 special-purpose ranges (0.0.0.0/8, 192.0.0.0/24, 192.88.99.0/24, 240.0.0.0/4, 2001::/32, etc.). */
 	| "reserved"
 	/** Cloud metadata service FQDN (e.g. `metadata.google.internal`). */
 	| "cloudMetadata"
@@ -183,6 +183,8 @@ function classifyIPv4(ip: string): HostKind {
 	if (inIPv4Range(n, ipv4ToUint32("224.0.0.0"), 4)) return "multicast";
 	if (inIPv4Range(n, ipv4ToUint32("0.0.0.0"), 8)) return "reserved";
 	if (inIPv4Range(n, ipv4ToUint32("192.0.0.0"), 24)) return "reserved";
+	// 6to4 relay anycast (RFC 7526, deprecated), not globally reachable.
+	if (inIPv4Range(n, ipv4ToUint32("192.88.99.0"), 24)) return "reserved";
 	if (inIPv4Range(n, ipv4ToUint32("240.0.0.0"), 4)) return "reserved";
 
 	return "public";
@@ -231,6 +233,8 @@ function classifyIPv6(expanded: string): HostKind {
 
 	if (firstByte === 0xff) return "multicast";
 	if (firstByte === 0xfe && (secondByte & 0xc0) === 0x80) return "linkLocal";
+	// fec0::/10 — deprecated site-local (RFC 3879), not globally reachable.
+	if (firstByte === 0xfe && (secondByte & 0xc0) === 0xc0) return "reserved";
 	if ((firstByte & 0xfe) === 0xfc) return "private";
 
 	if (expanded.startsWith("2001:0db8:")) return "documentation";
@@ -270,6 +274,11 @@ function classifyIPv6(expanded: string): HostKind {
 	// 5f00::/16 — SRv6 SIDs (RFC 9602), not globally reachable.
 	if (expanded.startsWith("5f00:")) return "reserved";
 
+	// ::/96 — deprecated IPv4-compatible IPv6 (RFC 4291 §2.5.5.1). `::` and
+	// `::1` are matched above; the rest of the block embeds an IPv4 (e.g.
+	// `::127.0.0.1`) and is never a valid public target.
+	if (expanded.startsWith("0000:0000:0000:0000:0000:0000:")) return "reserved";
+
 	return "public";
 }