CVE-2023-42282

NPM IP package incorrectly identifies some private IP addresses as public

Description

The `isPublic()` function in the NPM package `ip` doesn't correctly identify certain private IP addresses in uncommon formats such as `0x7F.1` as private. Instead, it reports them as public by returning `true`. This can lead to security issues such as Server-Side Request Forgery (SSRF) if `isPublic()` is used to protect sensitive code paths when passed user input. Versions 1.1.9 and 2.0.1 fix the issue.

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading

Vulnerability Details

Score

Score Vector

Affected Versions

ip >= 2.0.0 < 2.0.1; ip < 1.1.9

Severity

Ecosystem

JavaScript

Publish Date

February 8, 2024

Modified Date

June 28, 2024