ip@0.0.3 vulnerabilities

ip is a Node library.

Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) via the isPublic function, which identifies some private IP addresses as public addresses due to improper parsing of the input. An attacker can manipulate a system that uses isLoopback(), isPrivate() and isPublic functions to guard outgoing network requests to treat certain IP addresses as globally routable by supplying specially crafted IP addresses.

Note

This vulnerability derived from an incomplete fix for CVE-2023-42282

There is no fixed version for ip.

ip is a Node library.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the isPublic function, by failing to identify hex-encoded 0x7f.1 as equivalent to the private addess 127.0.0.1. An attacker can expose sensitive information, interact with internal services, or exploit other vulnerabilities within the network by exploiting this vulnerability.

Upgrade ip to version 1.1.9, 2.0.1 or higher.

ip is an IP address utility for node.js.

Affected versions of the package are vulnerable to Uninitialized Memory Exposure due to an insecure use of the Node.js Buffer class.

Upgrade ip to version 1.1.5 or higher. Note This is vulnerable only for Node <=4