CVE-2023-42282 NPM package "ip" vulnerability

alpinelinux / docker-alpine

Official Alpine Linux Docker image. Win at minimalism!

MIT License

1.04k stars 261 forks source link

CVE-2023-42282 NPM package "ip" vulnerability #380

Open bert-bae opened 3 months ago

bert-bae commented 3 months ago

Node Alpine 18.19-alpine3.19 and below have the "ip" package vulnerability. NIST issue link

The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.

Although the images are using ip@2.0.0, it looks like the proper fix is applied in ip@2.0.1. Since it is a dependency of npm, it appears updating the npm version to the latest will resolve the issue.

Impacted versions: <=0.4.23 Discovered: Feb 8, 2024 Updated: Mar 6, 2024

Related issues:

msaktor commented 3 months ago

npm version 10.5.0 is using socks 2.8.0 npm/cli#7184 (files)

which replaced the problematic ip package https://github.com/JoshGlazebrook/socks/commit/66b7f73023697f6ffb9751b5749b1a8f9b8d5066#diff-7ae45ad102eab3b6d7e7896acd08c427a9b25b346470d7bc6507b6481575d519L48

it's avaiable in node versions:

>= 21.7.0
>= 20.12.0
>= 18.20.0

thuey commented 2 months ago

Looks like this has been updated in the latest image: https://github.com/nodejs/docker-node/commit/e8dc03502488e162b6860a6adc3ee8e8ae517e87

Lumi669 commented 1 week ago

I am using node:20.11.0-alpine, got the same as bellow:

The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.

ps, i use pnpm and after install the ip 2.0.1 , still got this issue