search

timlrx / tailwind-nextjs-starter-blog

This is a Next.js, Tailwind CSS blogging starter template. Comes out of the box configured with the latest technologies to make technical writing a breeze. Easily configurable and customizable. Perfect as a replacement to existing Jekyll and Hugo individual blogs.
https://tailwind-nextjs-starter-blog.vercel.app/
MIT License
8.64k stars 2.01k forks source link

CVE-2023-42282: NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks #857

Closed rhokstar closed 5 months ago

rhokstar commented 7 months ago

After pushing to origin, I was notified about this new vulnerability:

https://github.com/advisories/GHSA-78xj-cgh5-2h22

An issue in all published versions of the NPM package ip allows an attacker to execute arbitrary code and obtain sensitive information via the isPublic() function. This can lead to potential Server-Side Request Forgery (SSRF) attacks. The core issue is the function's failure to accurately distinguish between public and private IP addresses.
References

    https://nvd.nist.gov/vuln/detail/CVE-2023-42282
    https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html
    https://github.com/JoshGlazebrook/socks/issues/93#issue-2128357447
    https://github.com/github/advisory-database/pull/3504#issuecomment-1937179999

Update IP to 2.0.1 yarn up -R ip

`yarn.lock'

Before:

"ip@npm:^2.0.0":
  version: 2.0.0
  resolution: "ip@npm:2.0.0"
  checksum: cfcfac6b873b701996d71ec82a7dd27ba92450afdb421e356f44044ed688df04567344c36cbacea7d01b1c39a4c732dc012570ebe9bebfb06f27314bca625349
  languageName: node
  linkType: hard

After:

"ip@npm:^2.0.0":
  version: 2.0.1
  resolution: "ip@npm:2.0.1"
  checksum: d765c9fd212b8a99023a4cde6a558a054c298d640fec1020567494d257afd78ca77e37126b1a3ef0e053646ced79a816bf50621d38d5e768cdde0431fa3b0d35
  languageName: node
  linkType: hard
timlrx commented 5 months ago

I don't see any existing CVE now