diff --git a/plugins/feed-discovery/src/feed-discovery.test.ts b/plugins/feed-discovery/src/feed-discovery.test.ts
index 3efd069..f2c4383 100644
--- a/plugins/feed-discovery/src/feed-discovery.test.ts
+++ b/plugins/feed-discovery/src/feed-discovery.test.ts
@@ -50,6 +50,7 @@ describe("site probing helpers", () => {
 
   it("blocks private SSRF targets", async () => {
     await expect(assertSafeHttpUrl("http://127.0.0.1/feed")).rejects.toThrow(/Blocked internal/);
+    await expect(assertSafeHttpUrl("http://[::]/feed")).rejects.toThrow(/Blocked internal/);
     await expect(assertSafeHttpUrl("http://[::ffff:192.168.1.10]/feed")).rejects.toThrow(/Blocked internal/);
     await expect(assertSafeHttpUrl("file:///etc/passwd")).rejects.toThrow(/Unsupported URL protocol/);
   });
diff --git a/plugins/feed-discovery/src/url-safety.ts b/plugins/feed-discovery/src/url-safety.ts
index c2e6d25..4bde9cb 100644
--- a/plugins/feed-discovery/src/url-safety.ts
+++ b/plugins/feed-discovery/src/url-safety.ts
@@ -78,6 +78,7 @@ function isBlockedIp(value: string) {
       return isBlockedIp(`${high >> 8}.${high & 255}.${low >> 8}.${low & 255}`);
     }
     return (
+      normalized === "::" ||
       normalized === "::1" ||
       normalized.startsWith("fc") ||
       normalized.startsWith("fd") ||