CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
35.9%
The isPublic()
function in the NPM package ip
doesn’t correctly identify certain private IP addresses in uncommon formats such as 0x7F.1
as private. Instead, it reports them as public by returning true
. This can lead to security issues such as Server-Side Request Forgery (SSRF) if isPublic()
is used to protect sensitive code paths when passed user input. Versions 1.1.9 and 2.0.1 fix the issue.
cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html
github.com/github/advisory-database/pull/3504#issuecomment-1937179999
github.com/indutny/node-ip
github.com/indutny/node-ip/commit/32f468f1245574785ec080705737a579be1223aa
github.com/indutny/node-ip/commit/6a3ada9b471b09d5f0f5be264911ab564bf67894
github.com/indutny/node-ip/pull/138
github.com/JoshGlazebrook/socks/issues/93#issue-2128357447
nvd.nist.gov/vuln/detail/CVE-2023-42282
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
35.9%