CVE-2023-42282

CRITICAL

fedorindutny/ip < 1.1.9 and >=2.0.0 <2.0.1 - Server-Side Request Forgery via isPublic IP Validation

Title source: llm

Description

The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.

References (5)

Core 5

Core References

Exploit, Third Party Advisory

https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html

Patch

https://github.com/indutny/node-ip/commit/6a3ada9b471b09d5f0f5be264911ab564bf67894

View Patch ZIP pw:eip

Exploit, Technical Description

https://huntr.com/bounties/bfc3b23f-ddc0-4ee7-afab-223b07115ed3/

Third Party Advisory

https://security.netapp.com/advisory/ntap-20240315-0008/

Press/Media Coverage

https://www.bleepingcomputer.com/news/security/dev-rejects-cve-severity-makes-his-github-repo-read-only/

Scores

CVSS v3 9.8

EPSS 0.0067

EPSS Percentile 71.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-918

Status published

Products (3)

fedorindutny/ip 2.0.0

fedorindutny/ip < 1.1.9

npm/ip 2.0.0 - 2.0.1npm

Published Feb 08, 2024

Tracked Since Feb 18, 2026