From af20981bee63e0f631641e945141e86efefe51b6 Mon Sep 17 00:00:00 2001
From: sahvx655-wq <sahvx655@gmail.com>
Date: Sat, 30 May 2026 15:41:29 +0530
Subject: [PATCH] reject signed hex group in isValidInet6Address

---
 .../commons/validator/routines/InetAddressValidator.java       | 3 +++
 .../commons/validator/routines/InetAddressValidatorTest.java   | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/src/main/java/org/apache/commons/validator/routines/InetAddressValidator.java b/src/main/java/org/apache/commons/validator/routines/InetAddressValidator.java
index 643cc5466..7fe18a9d1 100644
--- a/src/main/java/org/apache/commons/validator/routines/InetAddressValidator.java
+++ b/src/main/java/org/apache/commons/validator/routines/InetAddressValidator.java
@@ -201,6 +201,9 @@ public boolean isValidInet6Address(String inet6Address) {
                 if (octet.length() > IPV6_MAX_HEX_DIGITS_PER_GROUP) {
                     return false;
                 }
+                if (octet.charAt(0) == '+' || octet.charAt(0) == '-') {
+                    return false; // Integer.parseInt accepts a leading sign, which is not a valid hex group
+                }
                 int octetInt = 0;
                 try {
                     octetInt = Integer.parseInt(octet, BASE_16);
diff --git a/src/test/java/org/apache/commons/validator/routines/InetAddressValidatorTest.java b/src/test/java/org/apache/commons/validator/routines/InetAddressValidatorTest.java
index dcd69d03b..212ce351d 100644
--- a/src/test/java/org/apache/commons/validator/routines/InetAddressValidatorTest.java
+++ b/src/test/java/org/apache/commons/validator/routines/InetAddressValidatorTest.java
@@ -159,6 +159,9 @@ void testIPv6() {
         assertTrue(validator.isValidInet6Address("1:2:3:4:5::7:8"), "IPV6 1:2:3:4:5::7:8 should be valid");
         assertFalse(validator.isValidInet6Address("1:2:3::4:5::7:8"), "IPV6 1:2:3::4:5::7:8 should be invalid"); // Double "::"
         assertFalse(validator.isValidInet6Address("12345::6:7:8"), "IPV6 12345::6:7:8 should be invalid");
+        assertFalse(validator.isValidInet6Address("1:2:3:4:5:6:7:+8"), "IPV6 1:2:3:4:5:6:7:+8 should be invalid"); // signed hex group
+        assertFalse(validator.isValidInet6Address("fe80::+1"), "IPV6 fe80::+1 should be invalid"); // signed hex group
+        assertFalse(validator.isValidInet6Address("::+f"), "IPV6 ::+f should be invalid"); // signed hex group
         assertTrue(validator.isValidInet6Address("1:2:3:4::7:8"), "IPV6 1:2:3:4::7:8 should be valid");
         assertTrue(validator.isValidInet6Address("1:2:3::7:8"), "IPV6 1:2:3::7:8 should be valid");
         assertTrue(validator.isValidInet6Address("1:2::7:8"), "IPV6 1:2::7:8 should be valid");