Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03OHhqLWNnaDUtMmgyMs4AA5Ki
NPM IP package incorrectly identifies some private IP addresses as public
The isPublic() function in the NPM package ip doesn't correctly identify certain private IP addresses in uncommon formats such as 0x7F.1 as private. Instead, it reports them as public by returning true. This can lead to security issues such as Server-Side Request Forgery (SSRF) if isPublic() is used to protect sensitive code paths when passed user input. Versions 1.1.9 and 2.0.1 fix the issue.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03OHhqLWNnaDUtMmgyMs4AA5Ki
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 3 months ago
Updated: 2 months ago
Identifiers: GHSA-78xj-cgh5-2h22, CVE-2023-42282
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-42282
- https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html
- https://github.com/JoshGlazebrook/socks/issues/93#issue-2128357447
- https://github.com/github/advisory-database/pull/3504#issuecomment-1937179999
- https://github.com/indutny/node-ip/pull/138
- https://github.com/indutny/node-ip/commit/32f468f1245574785ec080705737a579be1223aa
- https://github.com/indutny/node-ip/commit/6a3ada9b471b09d5f0f5be264911ab564bf67894
- https://github.com/advisories/GHSA-78xj-cgh5-2h22
Blast Radius: 0.0
Affected Packages
npm:ip
Dependent packages: 4,157Dependent repositories: 2,948,597
Downloads: 86,791,513 last month
Affected Version Ranges: < 1.1.9, = 2.0.0
Fixed in: 1.1.9, 2.0.1
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.1.0, 0.2.0, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 2.0.0
All unaffected versions: 1.1.9, 2.0.1