Description
### Server-Side Request Forgery (SSRF)
> The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
### NVD
> The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.
### GitHub
> NPM IP package incorrectly identifies some private IP addresses as public
>
> The `isPublic()` function in the NPM package `ip` doesn't correctly identify certain private IP addresses in uncommon formats such as `0x7F.1` as private. Instead, it reports them as public by returning `true`. This can lead to security issues such as Server-Side Request Forgery (SSRF) if `isPublic()` is used to protect sensitive code paths when passed user input. Versions 1.1.9 and 2.0.1 fix the issue.
CVSS details - 9.8
|CVSS3 metrics||
|:-|:-|
|Attack Vector|**Network**|
|Attack Complexity|**Low**|
|Privileges Required|**None**|
|User interaction|**None**|
|Scope|**Unchanged**|
|Confidentiality|**High**|
|Integrity|**High**|
|Availability|**High**|
References
[NPM IP package incorrectly identifies some private IP addresses as public · CVE-2023-42282 · GitHub Advisory Database · GitHub](https://github.com/advisories/GHSA-78xj-cgh5-2h22)[](https://github.com/advisories/GHSA-78xj-cgh5-2h22)
[CVE-2023-42282 NPM Vulnerability in NetApp Products | NetApp Product Security](https://security.netapp.com/advisory/ntap-20240315-0008/)[](https://security.netapp.com/advisory/ntap-20240315-0008/)
[NVD - CVE-2023-42282](https://nvd.nist.gov/vuln/detail/CVE-2023-42282)[](https://nvd.nist.gov/vuln/detail/CVE-2023-42282)
[Missing IP Address Control in isPublic() Function Leads to SSRF Bypass PoC](https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html)[](https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html)
[Socks package depends on vulnerable package `ip` · Issue #93 · JoshGlazebrook/socks · GitHub](https://github.com/JoshGlazebrook/socks/issues/93#issue-2128357447)[](https://github.com/JoshGlazebrook/socks/issues/93#issue-2128357447)
[[GHSA-78xj-cgh5-2h22] NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks by G-Rath · Pull Request #3504 · github/advisory-database · GitHub](https://github.com/github/advisory-database/pull/3504#issuecomment-1937179999)[](https://github.com/github/advisory-database/pull/3504#issuecomment-1937179999)
[lib: fixed CVE-2023-42282 and added unit test · indutny/node-ip@6a3ada9 · GitHub](https://github.com/indutny/node-ip/commit/6a3ada9b471b09d5f0f5be264911ab564bf67894)[](https://github.com/indutny/node-ip/commit/6a3ada9b471b09d5f0f5be264911ab564bf67894)
[CVE-2023-42282 by Cofgren · Pull Request #138 · indutny/node-ip · GitHub](https://github.com/indutny/node-ip/pull/138)[](https://github.com/indutny/node-ip/pull/138)
[lib: fixed CVE-2023-42282 and added unit test · indutny/node-ip@32f468f · GitHub](https://github.com/indutny/node-ip/commit/32f468f1245574785ec080705737a579be1223aa)[](https://github.com/indutny/node-ip/commit/32f468f1245574785ec080705737a579be1223aa)
[huntr - The world’s first bug bounty platform for AI/ML](https://huntr.com/bounties/bfc3b23f-ddc0-4ee7-afab-223b07115ed3/)[](https://huntr.com/bounties/bfc3b23f-ddc0-4ee7-afab-223b07115ed3/)
CVE–2023–42282
Vulnerability details
Description
### Server-Side Request Forgery (SSRF) > The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. ### NVD > The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic. ### GitHub > NPM IP package incorrectly identifies some private IP addresses as public > > The `isPublic()` function in the NPM package `ip` doesn't correctly identify certain private IP addresses in uncommon formats such as `0x7F.1` as private. Instead, it reports them as public by returning `true`. This can lead to security issues such as Server-Side Request Forgery (SSRF) if `isPublic()` is used to protect sensitive code paths when passed user input. Versions 1.1.9 and 2.0.1 fix the issue.CVSS details -
9.8
|CVSS3 metrics|| |:-|:-| |Attack Vector|**Network**| |Attack Complexity|**Low**| |Privileges Required|**None**| |User interaction|**None**| |Scope|**Unchanged**| |Confidentiality|**High**| |Integrity|**High**| |Availability|**High**|References
[NPM IP package incorrectly identifies some private IP addresses as public · CVE-2023-42282 · GitHub Advisory Database · GitHub](https://github.com/advisories/GHSA-78xj-cgh5-2h22)[Related information
:pushpin: Remember! Check the changes to ensure they don't introduce any breaking changes.
:books: Read more about the CVE