CVE-2023-42282
published 2024-02-08CVE-2023-42282: The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via…
PriorityP350critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.61%
73.0th percentile
The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.
Affected
22 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-ip | < node-ip 2.0.1+~1.1.3-3 (forky) | node-ip 2.0.1+~1.1.3-3 (forky) |
| debian | node-ip | < node-ip 2.0.1+~1.1.3-1 (forky) | node-ip 2.0.1+~1.1.3-1 (forky) |
| fedorindutny | ip | < 1.1.9 | 1.1.9 |
| fedorindutny | ip | <= 2.0.1 | — |
| fedorindutny | ip | — | — |
| fedorindutny | ip | >= 0 < 1.1.9 | 1.1.9 |
| fedorindutny | ip | 0 – 2.0.1 | — |
| fedorindutny | ip | >= 2.0.0 < 2.0.1 | 2.0.1 |
| msrc | azl3_nodejs_20.10.0-2_on_azure_linux_3.0 | — | — |
| msrc | azl3_nodejs_20.14.0-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_python-tensorboard_2.16.2-6_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_nodejs18_18.18.2-4_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_nodejs18_18.18.2-7_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_nodejs_16.20.2-3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_nodejs_16.20.2-4_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_python-tensorboard_2.11.0-3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_reaper_3.1.1-10_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_reaper_3.1.1-18_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_msrc9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
node-ip: Incomplete fix for CVE-2023-42282
vendor_redhat·2024-02-20·CVSS 9.8
CVE-2024-29415 [CRITICAL] CWE-918 node-ip: Incomplete fix for CVE-2023-42282
node-ip: Incomplete fix for CVE-2023-42282
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.
A flaw was found in node-ip. The fix for CVE-2023-42282 in the ip package for Node.js was incomplete, and the issue may still be triggered using some IP addresses.
Statement: For CVE-2023-42282, npm does not utilize the bundled code, therefore Red Hat Enterprise Linux is not affected by this vulnerability.
Mitigation: Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria co
Ubuntu
NPM IP vulnerability
vendor_ubuntu·2024-02-19
CVE-2023-42282 NPM IP vulnerability
Title: NPM IP vulnerability
Summary: NPM IP could be made to expose sensitive information over the
network.
Emre Durmaz discovered that NPM IP package incorrectly distinguished
between private and public IP addresses. A remote attacker could
possibly use this issue to perform
Server-Side Request Forgery (SSRF) attacks.
Instructions: In general, a standard system update will make all the necessary changes.
Microsoft
The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.
vendor_msrc·2024-02-13·CVSS 9.8
CVE-2023-42282 [CRITICAL] CWE-918 The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.
The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
Red Hat
nodejs-ip: arbitrary code execution via the isPublic() function
vendor_redhat·2024-02-08·CVSS 9.8
CVE-2023-42282 [CRITICAL] CWE-918 nodejs-ip: arbitrary code execution via the isPublic() function
nodejs-ip: arbitrary code execution via the isPublic() function
The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.
A vulnerability was found in the NPM IP Package. This flaw allows an attacker to perform arbitrary code execution and obtain sensitive information via the isPublic() function by inducing a Server-Side Request Forgery (SSRF) attack and obtaining access to normally inaccessible resources.
Statement: It appears that npm does not utilize the bundled code therefore Red Hat Enterprise Linux is not affected by this vulnerability.
While the vulnerability in the NPM IP Package presents a significant security concern, it's categorized as important rather than critical due to
Debian
CVE-2024-29415: node-ip - The ip package through 2.0.1 for Node.js might allow SSRF because some IP addres...
vendor_debian·2024·CVSS 9.8
CVE-2024-29415 [CRITICAL] CVE-2024-29415: node-ip - The ip package through 2.0.1 for Node.js might allow SSRF because some IP addres...
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 2.0.1+~1.1.3-3)
sid: resolved (fixed in 2.0.1+~1.1.3-3)
trixie: resolved (fixed in 2.0.1+~1.1.3-3)
Debian
CVE-2023-42282: node-ip - The ip package before 1.1.9 for Node.js might allow SSRF because some IP address...
vendor_debian·2023·CVSS 9.8
CVE-2023-42282 [CRITICAL] CVE-2023-42282: node-ip - The ip package before 1.1.9 for Node.js might allow SSRF because some IP address...
The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 2.0.1+~1.1.3-1)
sid: resolved (fixed in 2.0.1+~1.1.3-1)
trixie: resolved (fixed in 2.0.1+~1.1.3-1)
GHSA
ip SSRF improper categorization in isPublic
ghsa·2024-06-02·CVSS 9.8
CVE-2024-29415 [CRITICAL] CWE-918 ip SSRF improper categorization in isPublic
ip SSRF improper categorization in isPublic
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.
OSV
ip SSRF improper categorization in isPublic
osv·2024-06-02·CVSS 9.8
CVE-2024-29415 [CRITICAL] ip SSRF improper categorization in isPublic
ip SSRF improper categorization in isPublic
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.
OSV
CVE-2024-29415: The ip package through 2
osv·2024-05-27·CVSS 9.8
CVE-2024-29415 [CRITICAL] CVE-2024-29415: The ip package through 2
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.
OSV
NPM IP package incorrectly identifies some private IP addresses as public
osv·2024-02-08
CVE-2023-42282 [LOW] NPM IP package incorrectly identifies some private IP addresses as public
NPM IP package incorrectly identifies some private IP addresses as public
The `isPublic()` function in the NPM package `ip` doesn't correctly identify certain private IP addresses in uncommon formats such as `0x7F.1` as private. Instead, it reports them as public by returning `true`. This can lead to security issues such as Server-Side Request Forgery (SSRF) if `isPublic()` is used to protect sensitive code paths when passed user input. Versions 1.1.9 and 2.0.1 fix the issue.
OSV
CVE-2023-42282: The ip package before 1
osv·2024-02-08·CVSS 9.8
CVE-2023-42282 [CRITICAL] CVE-2023-42282: The ip package before 1
The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.
GHSA
NPM IP package incorrectly identifies some private IP addresses as public
ghsa·2024-02-08
CVE-2023-42282 [LOW] CWE-918 NPM IP package incorrectly identifies some private IP addresses as public
NPM IP package incorrectly identifies some private IP addresses as public
The `isPublic()` function in the NPM package `ip` doesn't correctly identify certain private IP addresses in uncommon formats such as `0x7F.1` as private. Instead, it reports them as public by returning `true`. This can lead to security issues such as Server-Side Request Forgery (SSRF) if `isPublic()` is used to protect sensitive code paths when passed user input. Versions 1.1.9 and 2.0.1 fix the issue.
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Critical SAP flaw allows remote attackers to bypass authentication
blogs_bleepingcomputer·2024-08-13·CVSS 7.8
CVE-2024-41730 [HIGH] Critical SAP flaw allows remote attackers to bypass authentication
## Critical SAP flaw allows remote attackers to bypass authentication
## Bill Toulas
SAP has released its security patch package for August 2024, addressing 17 vulnerabilities, including a critical authentication bypass that could allow remote attackers to fully compromise the system.
The flaw, tracked as CVE-2024-41730 and rated 9.8 as per the CVSS v3.1 system, is a "missing authentication check" bug impacting SAP BusinessObjects Business Intelligence Platform versions 430 and 440 and is exploitable under certain conditions.
"In SAP BusinessObjects Business Intelligence Platform, if Single Signed On is enabled on Enterprise authentication, an unauthorized user can get a logon token using a REST endpoint," reads the vendor's description of the flaw.
"The attacker can fully compromise
Bugzilla
CVE-2024-29415 node-ip: Incomplete fix for CVE-2023-42282
bugzilla·2024-06-03·CVSS 9.8
CVE-2024-29415 [CRITICAL] CVE-2024-29415 node-ip: Incomplete fix for CVE-2023-42282
CVE-2024-29415 node-ip: Incomplete fix for CVE-2023-42282
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.
References:
https://github.com/indutny/node-ip/issues/150
https://github.com/indutny/node-ip/pull/143
https://github.com/indutny/node-ip/pull/144
Discussion:
Created golang-github-prometheus tracking bugs for this issue:
Affects: epel-all [bug 2284588]
Created magicmirror tracking bugs for this issue:
Affects: fedora-all [bug 2284589]
---
Created nodejs-ip tracking bugs for this issue:
Affects: epel-7 [bug 2294513]
---
This nod
Bugzilla
CVE-2023-42282 nodejs-ip: arbitrary code execution via the isPublic() function
bugzilla·2024-02-20·CVSS 9.8
CVE-2023-42282 [CRITICAL] CVE-2023-42282 nodejs-ip: arbitrary code execution via the isPublic() function
CVE-2023-42282 nodejs-ip: arbitrary code execution via the isPublic() function
An issue in NPM IP Package v.1.1.8 and before allows an attacker to execute arbitrary code and obtain sensitive information via the isPublic() function.
https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html
https://github.com/indutny/node-ip
Discussion:
Created nodejs-ip tracking bugs for this issue:
Affects: epel-all [bug 2265162]
---
Created golang-github-prometheus tracking bugs for this issue:
Affects: epel-all [bug 2265683]
Created nodejs:13/nodejs tracking bugs for this issue:
Affects: epel-all [bug 2265684]
Created nodejs:16-epel/nodejs tracking bugs for this issue:
Affects: epel-all [bug 2265685]
---
Statement Added:
It appears that npm does not utilize the bundled code, making
https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.htmlhttps://github.com/indutny/node-ip/commit/6a3ada9b471b09d5f0f5be264911ab564bf67894https://huntr.com/bounties/bfc3b23f-ddc0-4ee7-afab-223b07115ed3/https://security.netapp.com/advisory/ntap-20240315-0008/https://www.bleepingcomputer.com/news/security/dev-rejects-cve-severity-makes-his-github-repo-read-only/https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.htmlhttps://github.com/indutny/node-ip/commit/6a3ada9b471b09d5f0f5be264911ab564bf67894https://huntr.com/bounties/bfc3b23f-ddc0-4ee7-afab-223b07115ed3/https://security.netapp.com/advisory/ntap-20240315-0008/https://www.bleepingcomputer.com/news/security/dev-rejects-cve-severity-makes-his-github-repo-read-only/
2024-02-08
Published