cbcvebase.
CVE-2024-29415
published 2024-05-27

CVE-2024-29415: The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and…

PriorityP259high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
8.28%
94.2th percentile
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.

Affected

4 ranges
VendorProductVersion rangeFixed in
debiannode-ip< node-ip 2.0.1+~1.1.3-3 (forky)node-ip 2.0.1+~1.1.3-3 (forky)
debiannode-ip
fedorindutnyip<= 2.0.1
fedorindutnyip0 – 2.0.1

Detection & IOCsextracted from sources · hover to see the quote

url/rest/tinymce/1/macro/preview
url/rest/api/content/macro/preview
othercontextConfigLocation
othericon_hash=-305179312
  • SSRF via node-ip isPublic bypass: IP addresses such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1 are improperly categorized as globally routable — detect use of these forms in outbound requests or input validation contexts.
  • Confluence XSLT macro SSRF: POST requests to /rest/tinymce/1/macro/preview or /rest/api/content/macro/preview with a JSON body containing macro name 'xslt' and an external 'location' parameter pointing to an attacker-controlled URL should be flagged.
  • Confluence XSLT macro XXE/SSRF: POST requests to the macro preview endpoints with 'xml' body containing XXE entity references (e.g., ]>&xxe;) should be flagged as potential exploitation attempts.
  • Successful exploitation of the Confluence XSLT SSRF is indicated by a 200 response containing the string 'contextConfigLocation' in the body, combined with an outbound HTTP callback to the attacker's interactsh/OOB server.
  • The node-ip SSRF bypass chain is incomplete across multiple CVEs: CVE-2023-42282 → CVE-2024-29415 → CVE-2025-59436/CVE-2025-59437. Additional bypass values include octal 017700000001 and integer 0 (interpreted as 0.0.0.0/127.0.0.1 on some OS/app combinations).
  • ·The Confluence XSLT SSRF (CVE-2024-29415 as mapped in DOC 2) requires the attacker to be authenticated (PR:L). Unauthenticated exploitation is not indicated by the available sources.
  • ·Red Hat notes that npm does not utilize the bundled node-ip code, so Red Hat Enterprise Linux is not affected by this vulnerability in its standard Node.js packages.
  • ·The node-ip isPublic bypass for integer value 0 (CVE-2025-59437) is OS- and application-version-dependent: some environments block connections to 0/0.0.0.0 with ERR_ADDRESS_INVALID, while others route them to 127.0.0.1.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.