GHSA-78xj-cgh5-2h22
Suggest an improvement- Source
- https://github.com/advisories/GHSA-78xj-cgh5-2h22
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-78xj-cgh5-2h22/GHSA-78xj-cgh5-2h22.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-78xj-cgh5-2h22
- Aliases
- Related
- Published
- 2024-02-08T18:30:39Z
- Modified
- 2024-09-11T06:13:09.752080Z
- Summary
- NPM IP package incorrectly identifies some private IP addresses as public
- Details
-
The
isPublic()function in the NPM packageipdoesn't correctly identify certain private IP addresses in uncommon formats such as0x7F.1as private. Instead, it reports them as public by returningtrue. This can lead to security issues such as Server-Side Request Forgery (SSRF) ifisPublic()is used to protect sensitive code paths when passed user input. Versions 1.1.9 and 2.0.1 fix the issue. - Database specific
{ "nvd_published_at": "2024-02-08T17:15:10Z", "cwe_ids": [ "CWE-918" ], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2024-02-09T15:03:18Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2023-42282
- https://github.com/JoshGlazebrook/socks/issues/93#issue-2128357447
- https://github.com/github/advisory-database/pull/3504#issuecomment-1937179999
- https://github.com/indutny/node-ip/pull/138
- https://github.com/indutny/node-ip/commit/32f468f1245574785ec080705737a579be1223aa
- https://github.com/indutny/node-ip/commit/6a3ada9b471b09d5f0f5be264911ab564bf67894
- https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html
- https://github.com/indutny/node-ip
Affected packages
npm / ip
Package
- Name
- ip
- View open source insights on deps.dev
- Purl
- pkg:npm/ip
npm / ip
Package
- Name
- ip
- View open source insights on deps.dev
- Purl
- pkg:npm/ip