Security Vulnerability: SSRF in `ip` Package Dependency (`CVE-2023-42282`)

Environment

React Native Version: 0.72.0
CLI Doctor Version: 11.3.2
CLI Hermes Version: 11.3.2
Node.js Version: 14.17.0
Operating System: macOS Monterey 12.6
Package Manager: Yarn 1.22.10

Description

A security vulnerability has been identified in the ip package used by both @react-native-community/cli-doctor and @react-native-community/cli-hermes. The ip package versions <=2.0.1 are susceptible to Server-Side Request Forgery (SSRF) due to improper categorization of certain IP addresses via the isPublic function.

Vulnerability Details:

Type: SSRF (Server-Side Request Forgery)
Affected Versions: ip@<=2.0.1
CVE Identifier: CVE-2023-42282
Impact: Potential for SSRF attacks, which can lead to unauthorized access to internal services or sensitive data.

Both @react-native-community/cli-doctor@11.3.2 and @react-native-community/cli-hermes@11.3.2 depend on ip@1.1.9, which falls within the vulnerable range.

Reproducible Demo

While this vulnerability doesn't involve a reproducible bug, it affects the project's security posture due to the following dependency tree:

@react-native-community/cli-doctor@11.3.2 └─ ip@1.1.9 (via ^1.1.5)

@react-native-community/cli-hermes@11.3.2 └─ ip@1.1.9 (via ^1.1.5)

Steps to Identify the Vulnerability:

Ran yarn why ip and identified that both CLI packages depend on ip@1.1.9.
Reviewed the CVE-2023-42282 details, which indicate that ip@<=2.0.1 is vulnerable to SSRF attacks.

Impact Assessment

Scope: All projects using @react-native-community/cli-doctor and @react-native-community/cli-hermes version 11.3.2 are potentially affected.
Severity: High, due to the nature of SSRF vulnerabilities allowing unauthorized access to internal resources.
Likelihood: Depends on how the CLI tools are used within applications, but the vulnerability exists regardless of usage patterns.

react-native-community / cli