Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS03OHhqLWNnaDUtMmgyMs4AA5Ki

NPM IP package incorrectly identifies some private IP addresses as public

The isPublic() function in the NPM package ip doesn't correctly identify certain private IP addresses in uncommon formats such as 0x7F.1 as private. Instead, it reports them as public by returning true. This can lead to security issues such as Server-Side Request Forgery (SSRF) if isPublic() is used to protect sensitive code paths when passed user input. Versions 1.1.9 and 2.0.1 fix the issue.

Permalink: https://github.com/advisories/GHSA-78xj-cgh5-2h22
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03OHhqLWNnaDUtMmgyMs4AA5Ki
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 22 days ago
Updated: 10 days ago


Identifiers: GHSA-78xj-cgh5-2h22, CVE-2023-42282
References:

Affected Packages

npm:ip
Versions: < 1.1.9, = 2.0.0
Fixed in: 1.1.9, 2.0.1