Описание
The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| node-ip | fixed | 2.0.1+~1.1.3-1 | package | |
| node-ip | no-dsa | bookworm | package | |
| node-ip | no-dsa | bullseye | package | |
| node-ip | no-dsa | buster | package |
Примечания
https://huntr.com/bounties/bfc3b23f-ddc0-4ee7-afab-223b07115ed3/
https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html
https://github.com/indutny/node-ip/issues/136
https://github.com/indutny/node-ip/issues/144
EPSS
Связанные уязвимости
The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.
The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.
The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.
NPM IP package incorrectly identifies some private IP addresses as public
EPSS