Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0ycDU3LXJtOXctZ3ZmcM4AA8mQ
ip SSRF improper categorization in isPublic
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.
Permalink: https://github.com/advisories/GHSA-2p57-rm9w-gvfpJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0ycDU3LXJtOXctZ3ZmcM4AA8mQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 6 months ago
Updated: 3 months ago
CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-2p57-rm9w-gvfp, CVE-2024-29415
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-29415
- https://github.com/indutny/node-ip/issues/150
- https://github.com/indutny/node-ip/pull/143
- https://github.com/indutny/node-ip/pull/144
- https://github.com/advisories/GHSA-2p57-rm9w-gvfp
Blast Radius: 52.4
Affected Packages
npm:ip
Dependent packages: 4,157Dependent repositories: 2,948,597
Downloads: 66,153,910 last month
Affected Version Ranges: <= 2.0.1
No known fixed version
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.1.0, 0.2.0, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.1.9, 2.0.0, 2.0.1