NPM IP package incorrectly identifies some private IP addresses as public [MODERATE] #170

New issue

Closed

opened 2024-02-20 17:37:20 +00:00 by Helpdesk · 0 comments

Helpdesk commented 2024-02-20 17:37:20 +00:00

Member

Copy link

Package: ip (npm)
Affected versions: = 2.0.0
Patched version: 2.0.1

---

The isPublic() function in the NPM package ip doesn't correctly identify certain private IP addresses in uncommon formats such as 0x7F.1 as private. Instead, it reports them as public by returning true. This can lead to security issues such as Server-Side Request Forgery (SSRF) if isPublic() is used to protect sensitive code paths when passed user input. Versions 1.1.9 and 2.0.1 fix the issue.

Package: ip (npm) Affected versions: = 2.0.0 Patched version: 2.0.1 --- The `isPublic()` function in the NPM package `ip` doesn't correctly identify certain private IP addresses in uncommon formats such as `0x7F.1` as private. Instead, it reports them as public by returning `true`. This can lead to security issues such as Server-Side Request Forgery (SSRF) if `isPublic()` is used to protect sensitive code paths when passed user input. Versions 1.1.9 and 2.0.1 fix the issue.

Helpdesk added the

type

dependencies

label 2024-02-20 17:37:28 +00:00

Helpdesk added this to the 0.5.1 milestone 2024-02-20 17:37:30 +00:00

Helpdesk changed title from NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks [HIGH] to NPM IP package incorrectly identifies some private IP addresses as public [MODERATE] 2024-02-27 18:26:26 +00:00

Vylpes self-assigned this 2024-03-14 17:23:12 +00:00

Vylpes started working 2024-03-14 17:23:15 +00:00

Vylpes closed this issue 2024-03-14 17:32:18 +00:00

Vylpes stopped working 2024-03-14 17:32:18 +00:00

9 minutes 3 seconds

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

develop

renovate/ts-jest-29.x-lockfile

hotfix/0.6.4

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.2

v0.5.1

v0.5.0

v0.4.2

v0.4.1

v0.4.0

v0.3.1

v0.3.0

v0.2.1

v0.2.0

v0.1.8

v0.1.7

v0.1.6

v0.1.5

v0.1.4

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels   

blocked

  

duplicate

  

question

  

requires documentation

  

type

admin

  

type

bug

  

type

change

  

type

defect

  

type

dependencies

  

type

epic

  

type

spike

  

type

story

  

type

subtask

  

won't fix

No labels

blocked

duplicate

question

requires documentation

type

admin

type

bug

type

change

type

defect

type

dependencies

type

epic

type

spike

type

story

type

subtask

won't fix

Milestone

Clear milestone

No items

No milestone

0.5.1

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

Vylpes

1 participant

Notifications

Subscribe

Total time spent: 9 minutes 3 seconds

Vylpes

9 minutes 3 seconds

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: External/card-drop#170

No description provided.