Skip to content

NPM IP package incorrectly identifies some private IP addresses as public

Moderate severity GitHub Reviewed Published Feb 8, 2024 to the GitHub Advisory Database • Updated Feb 20, 2024

Package

npm ip (npm)

Affected versions

= 2.0.0
< 1.1.9

Patched versions

2.0.1
1.1.9

Description

The isPublic() function in the NPM package ip doesn't correctly identify certain private IP addresses in uncommon formats such as 0x7F.1 as private. Instead, it reports them as public by returning true. This can lead to security issues such as Server-Side Request Forgery (SSRF) if isPublic() is used to protect sensitive code paths when passed user input. Versions 1.1.9 and 2.0.1 fix the issue.

References

Published by the National Vulnerability Database Feb 8, 2024
Published to the GitHub Advisory Database Feb 8, 2024
Reviewed Feb 9, 2024
Last updated Feb 20, 2024

Severity

Moderate

Weaknesses

CVE ID

CVE-2023-42282

GHSA ID

GHSA-78xj-cgh5-2h22

Source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.