kube-router: GoBGP gRPC Admin Port Exposed on Node Primary IP Without Authentication, Allowing Cluster-Wide BGP Route Injection

Summary When the kube-router routing controller starts --run-router, it binds the GoBGP gRPC management server to the node's primary IP e.g., 192.168.1.10:50051 in addition to 127.0.0.1:50051. The default admin port is 50051 and the server is enabled by default with no TLS and no authentication...

Security Bulletin: Astronomer with IBM is vulnerable to server-side request forgery due to the node-ip package (CVE-2025-59436, CVE-2025-59437)

Summary Node-ip is used by Astronomer with IBM as part of IP address processing functionality. Vulnerability Details CVEID:CVE-2025-59436 DESCRIPTION: The ip aka node-ip package through 2.0.1 in NPM might allow SSRF because the IP address value 017700000001 is improperly categorized as globally...

EUVD-2025-29356

Malicious code in bioql PyPI...

CVE-2025-59437

The ip aka node-ip package through 2.0.1 in NPM might allow SSRF because the IP address value 0 is improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2024-29415. NOTE: in current versions of several applications, connection...

Linux Distros Unpatched Vulnerability : CVE-2025-59437

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The ip aka node-ip package through 2.0.1 in NPM might allow SSRF because the IP address value 0 is improperly categorized as globally routable via isPublic. NOT...

CVE-2025-59436

The ip aka node-ip package through 2.0.1 in NPM might allow SSRF because the IP address value 017700000001 is improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2024-29415. Mitigation Mitigation for this issue is either not...

CVE-2025-59436

The ip aka node-ip package through 2.0.1 in NPM might allow SSRF because the IP address value 017700000001 is improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2024-29415...

CVE-2025-59437

The ip aka node-ip package through 2.0.1 in NPM might allow SSRF because the IP address value 0 is improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2024-29415. NOTE: in current versions of several applications, connection...

UBUNTU-CVE-2025-59436

The ip aka node-ip package through 2.0.1 in NPM might allow SSRF because the IP address value 017700000001 is improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2024-29415...

Server-side Request Forgery (SSRF)

Overview ip is a Node library. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the ip.isPublic and ip.isPrivate functions. An attacker can interact with internal network resources by supplying specially crafted IP address such as octal localhost format...

Server-side Request Forgery (SSRF)

Overview ip is a Node library. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the ip.isPublic and ip.isPrivate functions. An attacker can interact with internal network resources by supplying specially crafted IP address such as null route "0" that is bei...

node-ip 代码问题漏洞

node-ip is a node.js module by indutny individual developer. A code issue vulnerability exists in node-ip version 2.0.1 and earlier, which stems from the IP address value 0 being incorrectly categorized as globally routable, which could lead to server-side request forgery...

node-ip 代码问题漏洞

node-ip is a node.js module by indutny individual developer. A code issue vulnerability exists in node-ip version 2.0.1 and earlier, which stems from IP address 017700000001 being misclassified as globally routable, which could lead to server-side request forgery...

CVE-2025-59436

The ip aka node-ip package through 2.0.1 in NPM might allow SSRF because the IP address value 017700000001 is improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2024-29415...

CVE-2025-59436

The ip aka node-ip package through 2.0.1 in NPM might allow SSRF because the IP address value 017700000001 is improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2024-29415...

CVE-2025-59437

The ip aka node-ip package through 2.0.1 in NPM might allow SSRF because the IP address value 0 is improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2024-29415. NOTE: in current versions of several applications, connection...

The vulnerability of the isPublic() function in the node-ip utility of the Node.js software platform allows a attacker to execute an SSRF attack.

The vulnerability of the isPublic function in the node-ip utility of the Node.js software platform is related to incorrect classification of IP addresses. Exploiting this vulnerability could allow a remote attacker to execute an SSRF attack...

CVE-2024-29415

A flaw was found in node-ip. The fix for CVE-2023-42282 in the ip package for Node.js was incomplete, and the issue may still be triggered using some IP addresses. Mitigation Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Securi...

node-ip 安全漏洞

node-ip is a node.js module by indutny individual developer. A security vulnerability exists in node-ip version 2.0.1 and earlier, which stems from incorrect categorization of certain IP addresses that can be globally routed via isPublic, potentially leading to server-side request forgery SSRF...

The vulnerability of the node-ip utility in the Node.js software platform allows a hacker to execute arbitrary code.

The vulnerability of the node-ip utility in the Node.js software platform is related to insufficient checking of incoming requests. Exploiting this vulnerability allows a remote attacker to execute arbitrary code...