CVE-2023-42282 – ip

Package

Manager: npm
Name: ip
Vulnerable Version: =2.0.0 || >=2.0.0 <2.0.1 || >=0 <1.1.9

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L

EPSS: 0.00397 pctl0.59774

Details

NPM IP package incorrectly identifies some private IP addresses as public The `isPublic()` function in the NPM package `ip` doesn't correctly identify certain private IP addresses in uncommon formats such as `0x7F.1` as private. Instead, it reports them as public by returning `true`. This can lead to security issues such as Server-Side Request Forgery (SSRF) if `isPublic()` is used to protect sensitive code paths when passed user input. Versions 1.1.9 and 2.0.1 fix the issue.

Metadata

Created: 2024-02-08T18:30:39Z
Modified: 2024-06-28T16:49:27Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-78xj-cgh5-2h22/GHSA-78xj-cgh5-2h22.json
CWE IDs: ["CWE-918"]
Alternative ID: GHSA-78xj-cgh5-2h22
Finding: F100
Auto approve: 1