🚨 HIGH Severity Vulnerability: Package unsafe for use as of v1.1.8 🚨

[taylorjdawson]

Until PR is merge to mitigate this attack vector, package should be deemed unsafe for use.

NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks, see GitHub advisory for more information.

[carnil]

CVE-2023-42282 is associated with this issue, mentioning it for cross-reference as well.

[glitch-txs]

@indutny any update on this?

[levpachmanov]

Hi @taylorjdawson @carnil @glitch-txs,

Notice that ip@2.0.0 is affected by CVE-2023-42282 - https://github.com/github/advisory-database/pull/3504

We're part of a startup called Seal Security that mitigates software vulnerabilities in older open source versions by backporting/creating standalone security patches - enabling more straightforward remediation in cases like this. We created an ip 1.1.8-sp and 2.0.0-sp1 that's vulnerability-free. As with all of our patches, it's open-source and available for free.

If relevant, check out our GitHub repo if you wish to learn more, or start using our app.

Please feel free to reach us at info@seal.security if you have any requests/questions.

[mukitmomin]

Looks like there is an open PR: #138 that fixes this issue. Any timeline on when it will be merged and released?

[damonholden]

Any update on this?

[aminekun90]

Any update on this?

There is an open PR for this ... --'

[levpachmanov]

@mukitmomin @damonholden @aminekun90 notice @mnikolaus 's comment on #138 that the current PR covers only a limited number of cases and as @n0099 mentioned there are many other options

[damonholden]

Are there any known workarounds then? We've had to move our project to critical vulnerability blockers only for this.

[aminekun90]

Are there any known workarounds then? We've had to move our project to critical vulnerability blockers only for this.

For our project we unfortunately got rid of the library using node-ip

[levpachmanov]

@damonholden - as others suggested you might try getting rid of node-ip. Alternatively we (Seal Security) released a patch that we believe covers all the cases. You can check out or our GitHub repo and our app - it's free to use for open source projects.

[dchambers]

We're part of a startup called Seal Security that mitigates software vulnerabilities in older open source versions by backporting/creating standalone security patches

@levpachmanov, may I ask, was it also your team that reported the issue to NIST in the first place?

[levpachmanov]

@dchambers no, the credit goes to @cosmosofcyberspace AFAIK. We have only suggested updating the affected version range of the advisory (even though @G-rath did it first) and trying to help the community remediate the risk.

[dotboris]

I feel that this CVE is less critical than it's made to appear and that this issue (title + description) are a bit alarmist.

What's going on here is that the isPublic(...) function from this package has a bug. It fails to recognize some ips in hex format as private. This doesn't make it a security issue in its own right.

The advisory labels this a high and talks of remote code execution, information disclosure and server-side request forgery. None of that is true when you look at ip in isolation.

You're only vulnerable to anything remotely close to what the advisory talks about if:

• You have a vulnerable version of ip in your deps
• and you or your dependencies use the isPublic() function
• and that function is used to guard something sensitive
• and the input you pass to isPublic() is user input

Only then, you have a problem.

If you've somehow landed here because your favourite / work imposed security tool is raising an alarm about this, you're probably fine. I suggest that you check for yourself to see if your code is affect. It most likely isn't.

I personally did this by searching for isPublic( in my code and node_modules and found nothing to be alarmed about.

[Siliconvelly]

i am getting this NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks on npm install in my react-native project from today i am unable to understand why this issue is arise but it shows me to downgrade my react native version and i am downgrading the it says upgrading the version so i researched that the npm ip is getting issue from nodemodule file in my project so i find and found this page so please give any solution or suggestion and fix as soon as possible.

[kellyselden]

@levpachmanov I'm curious, do you also publish the patches as forks to npm? Then it would be easy to consume as a package resolution override.

[dotboris]

I have submitted a PR (https://github.com/github/advisory-database/pull/3531) to GitHub's advisory database to change it to reflect the reality of the issue and reduce its severity.

[stalinTechXD]

any latest update on this https://security.snyk.io/vuln/SNYK-JS-IP-6240864 ?

[SamLam140330]

It seems there is a PR (https://github.com/indutny/node-ip/pull/138)

[levpachmanov]

Hi @kellyselden @electrovir @mattd-tg @DSurguy-Sterling - since a public fix hasn’t been released yet, we published the versions we patched to NPM as well @seal-security/ip. Notice using those versions to fix your nested dependencies requires NPM's override feature which is quite buggy (we even tried to fix it).

[marcomontalbano]

Hi all! We can close this issue. The PR https://github.com/indutny/node-ip/pull/138#issuecomment-1951710634 is now merged and the v2.0.1 has been released :tada:

[mukitmomin]

The CVE reported in the github advisory database is not written correctly. NPM does not accept version v1.1.9 as a patched version as the existing CVE lists affected versions are <=2.0.0. This PR fixes the advisory to accept v1.1.9 as a patched version as well. Any idea when/how CVE can be updated?

[ouuan]

This is not resolved in 1.1.9/2.0.1. See #143 for more details.

[abhishek-parative]

Can the maintainer/group with Write access take a look at #144?

[karthikTVS]

1.1.8-sp this patch version not found in registry https://registry.npmjs.org/ip/-/ip-1.1.8-sp.tgz

[n0099]

Fun with IP address parsing