Skip to content

NPM IP package incorrectly identifies some private IP addresses as public

Low severity GitHub Reviewed Published Feb 8, 2024 to the GitHub Advisory Database • Updated Jun 28, 2024

Package

npm ip (npm)

Affected versions

= 2.0.0
< 1.1.9

Patched versions

2.0.1
1.1.9

Description

The isPublic() function in the NPM package ip doesn't correctly identify certain private IP addresses in uncommon formats such as 0x7F.1 as private. Instead, it reports them as public by returning true. This can lead to security issues such as Server-Side Request Forgery (SSRF) if isPublic() is used to protect sensitive code paths when passed user input. Versions 1.1.9 and 2.0.1 fix the issue.

References

Published by the National Vulnerability Database Feb 8, 2024
Published to the GitHub Advisory Database Feb 8, 2024
Reviewed Feb 9, 2024
Last updated Jun 28, 2024

Severity

Low

EPSS score

0.084%
(37th percentile)

Weaknesses

CVE ID

CVE-2023-42282

GHSA ID

GHSA-78xj-cgh5-2h22

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.