NPM IP package incorrectly identifies some private IP addresses as public [MODERATE] #170

Closed
opened 2024-02-20 17:37:20 +00:00 by Helpdesk · 0 comments
Member

Package: ip (npm)
Affected versions: = 2.0.0
Patched version: 2.0.1


The isPublic() function in the NPM package ip doesn't correctly identify certain private IP addresses in uncommon formats such as 0x7F.1 as private. Instead, it reports them as public by returning true. This can lead to security issues such as Server-Side Request Forgery (SSRF) if isPublic() is used to protect sensitive code paths when passed user input. Versions 1.1.9 and 2.0.1 fix the issue.

Package: ip (npm) Affected versions: = 2.0.0 Patched version: 2.0.1 --- The `isPublic()` function in the NPM package `ip` doesn't correctly identify certain private IP addresses in uncommon formats such as `0x7F.1` as private. Instead, it reports them as public by returning `true`. This can lead to security issues such as Server-Side Request Forgery (SSRF) if `isPublic()` is used to protect sensitive code paths when passed user input. Versions 1.1.9 and 2.0.1 fix the issue.
Helpdesk added the
type
dependencies
label 2024-02-20 17:37:28 +00:00
Helpdesk added this to the 0.5.1 milestone 2024-02-20 17:37:30 +00:00
Helpdesk changed title from NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks [HIGH] to NPM IP package incorrectly identifies some private IP addresses as public [MODERATE] 2024-02-27 18:26:26 +00:00
Vylpes self-assigned this 2024-03-14 17:23:12 +00:00
Vylpes started working 2024-03-14 17:23:15 +00:00
Vylpes stopped working 2024-03-14 17:32:18 +00:00
9 minutes 3 seconds
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Total time spent: 9 minutes 3 seconds
Vylpes
9 minutes 3 seconds
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: External/card-drop#170
No description provided.