<p>Upgrade <code>ip</code> to version 1.1.9, 2.0.1 or higher.</p>

Server-side Request Forgery (SSRF) Affecting ip package, versions <1.1.9 >=2.0.0 <2.0.1

Threat Intelligence

Proof of concept

0.08% (37^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JS-IP-6240864
published 11 Feb 2024
disclosed 8 Feb 2024
credit Emre Durmaz

Report a new vulnerability Found a mistake?

Introduced: 8 Feb 2024

CVE-2023-42282 Open this link in a new tab CWE-918 Open this link in a new tab

How to fix?

Upgrade ip to version 1.1.9, 2.0.1 or higher.

Overview

ip is a Node library.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the isPublic function, by failing to identify hex-encoded 0x7f.1 as equivalent to the private addess 127.0.0.1. An attacker can expose sensitive information, interact with internal services, or exploit other vulnerabilities within the network by exploiting this vulnerability.

PoC

var ip = require('ip');

console.log(ip.isPublic("0x7f.1"));
//This returns true. It should be false because 0x7f.1 == 127.0.0.1 == 0177.1

References

CVSS Scores

version 3.1

Attack Vector (AV)

Network
Attack Complexity (AC)

Low
Privileges Required (PR)

None
User Interaction (UI)

None

Scope (S)

Unchanged

Confidentiality (C)

High
Integrity (I)

Low
Availability (A)

Low

Server-side Request Forgery (SSRF) Affecting ip package, versions <1.1.9 >=2.0.0 <2.0.1

Severity

CVSS assessment made by Snyk's Security Team