NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks

[EnzooKms]

socks-proxy-agent

This package uses socks version 2.7.1, which has a dependency vulnerability.

Use the new socks patch as https://www.npmjs.com/package/socks/v/2.7.3

resources :

• https://www.npmjs.com/package/socks/v/2.7.1
• https://github.com/advisories/GHSA-78xj-cgh5-2h22

[TooTallNate]

Run npm upgrade in your project. It'll pick up socks@2.7.3.

[RCMainak]

Hello @TooTallNate, the vulnerable ip package is being pulled by the default npm installation. I tried building a docker image with node 20 and ip package is present in the image. Let me know if I'm doing anything wrong.

Here's my Dockerfile,

FROM node:20
COPY ./app.js ./
CMD ["node", "./app.js"]

[TooTallNate]

You're not doing anything wrong. The Docker image contains what was released in the version of Node.js / npm which that image contains, which was published before the fix here was. You'll need to wait for a new version of the Docker image to be published.

[RCMainak]

Makes sense, thanks.

[invariants]

Run npm upgrade in your project. It'll pick up socks@2.7.3.

I upgraded to the latest npm, ran npm upgrade and i still get:

npm ls ip
...
└─┬ npm@10.4.0
  └─┬ make-fetch-happen@13.0.0
    └─┬ @npmcli/agent@2.2.0
      └─┬ socks-proxy-agent@8.0.2
        └─┬ socks@2.7.1
          └── ip@2.0.0

Wouldn`t it be better to just bump your dependency to socks "^2.7.3"?

[EnzooKms]

Run npm upgrade in your project. It'll pick up socks@2.7.3.

I upgraded to the latest npm, ran npm upgrade and i still get:

npm ls ip
...
└─┬ npm@10.4.0
 └─┬ make-fetch-happen@13.0.0
   └─┬ @npmcli/agent@2.2.0
     └─┬ socks-proxy-agent@8.0.2
       └─┬ socks@2.7.1
         └── ip@2.0.0

Wouldn`t it be better to just bump your dependency to socks "^2.7.3"?

Use npm audit to fix that

[invariants]

Use npm audit to fix that

That dosn`t work as well. You can try it for yourself, make a new node project and install the latest npm as a dependency.

[EnzooKms]

Use npm audit to fix that

That dosn`t work as well. You can try it for yourself, make a new node project and install the latest npm as a dependency.

npm audit
npm audit fix

Dosn't work ?

I don't know how to resolve then

[TooTallNate]

That issue is specific to the npm package itself, since it's bundling the dependencies using the bundleDependencies key in the package.json file. So the versions of dependencies that get installed are locked to what was available when that version of npm was published. Unfortunately there's not going to be anything I can do I my end to fix that.

[invariants]

That issue is specific to the npm package itself, since it's bundling the dependencies using the bundleDependencies key in the package.json file. So the versions of dependencies that get installed are locked to what was available when that version of npm was published. Unfortunately there's not going to be anything I can do I my end to fix that.

Ahh, thanks for clarifying! I'll look in the Npm Issue Tracker then. EDIT: This seems to be the one https://github.com/npm/cli/issues/7223

[TooTallNate]

Is there a reason you're concerned specifically with the deps that npm installs? It shouldn't be a dependency directly of your project except for rare circumstances.

[invariants]

Is there a reason you're concerned specifically with the deps that npm installs? It shouldn't be a dependency directly of your project except for rare circumstances.

Were using the https://github.com/semantic-release/npm plugin to create a private npm package in our CI/CD pipeline. This depends on npm and has over a million weekly downloads. So i would say its not that rare ;).

[dball]

FWIW, we're concerned with the deps that npm installs because the security vulnerability scanners flag them, and regulatory compliance requires that we mitigate them; I suspect we're not alone in this situation.

[mihob]

Same situation here, any news on this topic?

[EnzooKms]

Same situation here, any news on this topic?

U try npm audit ?

[TooTallNate]

I've already said that a new npm release needs to be made. I'm going to lock this thread.