CVE-2023-42282 — Server-Side Request Forgery in Node-ip
Severity
9.8CRITICALNVD
NVD8.1
EPSS
0.7%
top 27.30%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedFeb 8
Latest updateAug 13
Description
The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9
Affected Packages18 packages
Patches
🔴Vulnerability Details
6📋Vendor Advisories
6Microsoft▶
The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.↗2024-02-13
Debian▶
CVE-2024-29415: node-ip - The ip package through 2.0.1 for Node.js might allow SSRF because some IP addres...↗2024