Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).
CVE-2024-29415 — Server-Side Request Forgery in Node-ip
Severity
8.1HIGHNVD
NVD3.2GHSA9.8OSV9.8
EPSS
84.6%
top 0.67%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
Timeline
PublishedMay 27
Latest updateSep 16
Description
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9
Affected Packages3 packages
🔴Vulnerability Details
7💥Exploits & PoCs
1Nuclei▶
Atlassian Confluence XSLT Macro - Server-Side Request Forgery
📋Vendor Advisories
5Debian▶
CVE-2025-59437: node-ip - The ip (aka node-ip) package through 2.0.1 (in NPM) might allow SSRF because the...↗2025
Debian▶
CVE-2025-59436: node-ip - The ip (aka node-ip) package through 2.0.1 (in NPM) might allow SSRF because the...↗2025
Debian▶
CVE-2024-29415: node-ip - The ip package through 2.0.1 for Node.js might allow SSRF because some IP addres...↗2024