An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS03OHhqLWNnaDUtMmgyMs4AA5Ki

NPM IP package incorrectly identifies some private IP addresses as public

The isPublic() function in the NPM package ip doesn't correctly identify certain private IP addresses in uncommon formats such as 0x7F.1 as private. Instead, it reports them as public by returning true. This can lead to security issues such as Server-Side Request Forgery (SSRF) if isPublic() is used to protect sensitive code paths when passed user input. Versions 1.1.9 and 2.0.1 fix the issue.

Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 22 days ago
Updated: 10 days ago

Identifiers: GHSA-78xj-cgh5-2h22, CVE-2023-42282

Affected Packages

Versions: < 1.1.9, = 2.0.0
Fixed in: 1.1.9, 2.0.1