yarn-audit-known-issues

{"actions":[],"advisories":{"1099357":{"findings":[{"version":"2.0.1","paths":["puppeteer>@puppeteer/browsers>proxy-agent>socks-proxy-agent>socks>ip","playwright>fsevents>node-gyp>make-fetch-happen>socks-proxy-agent>socks>ip","mocha>chokidar>fsevents>node-gyp>make-fetch-happen>socks-proxy-agent>socks>ip","codeceptjs>mocha>chokidar>fsevents>node-gyp>make-fetch-happen>socks-proxy-agent>socks>ip","codeceptjs>mocha-junit-reporter>mocha>chokidar>fsevents>node-gyp>make-fetch-happen>socks-proxy-agent>socks>ip"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-29415\n- https://github.com/indutny/node-ip/issues/150\n- https://github.com/indutny/node-ip/pull/143\n- https://github.com/indutny/node-ip/pull/144\n- https://github.com/advisories/GHSA-2p57-rm9w-gvfp","created":"2024-06-02T22:29:29.000Z","id":1099357,"npm_advisory_id":null,"overview":"The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.","reported_by":null,"title":"ip SSRF improper categorization in isPublic","metadata":null,"cves":["CVE-2024-29415"],"access":"public","severity":"high","module_name":"ip","vulnerable_versions":"<=2.0.1","github_advisory_id":"GHSA-2p57-rm9w-gvfp","recommendation":"None","patched_versions":"<0.0.0","updated":"2024-09-03T19:59:02.000Z","cvss":{"score":8.1,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},"cwe":["CWE-918"],"url":"https://github.com/advisories/GHSA-2p57-rm9w-gvfp"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":0,"high":5,"critical":0},"dependencies":690,"devDependencies":0,"optionalDependencies":0,"totalDependencies":690}}