CVE-2024-29415
published 2024-05-27CVE-2024-29415: The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and…
PriorityP259high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
8.28%
94.2th percentile
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-ip | < node-ip 2.0.1+~1.1.3-3 (forky) | node-ip 2.0.1+~1.1.3-3 (forky) |
| debian | node-ip | — | — |
| fedorindutny | ip | <= 2.0.1 | — |
| fedorindutny | ip | 0 – 2.0.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/rest/tinymce/1/macro/preview
url/rest/api/content/macro/preview
othercontextConfigLocation
othericon_hash=-305179312
- →SSRF via node-ip isPublic bypass: IP addresses such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1 are improperly categorized as globally routable — detect use of these forms in outbound requests or input validation contexts. ↗
- →Confluence XSLT macro SSRF: POST requests to /rest/tinymce/1/macro/preview or /rest/api/content/macro/preview with a JSON body containing macro name 'xslt' and an external 'location' parameter pointing to an attacker-controlled URL should be flagged.
- →Confluence XSLT macro XXE/SSRF: POST requests to the macro preview endpoints with 'xml' body containing XXE entity references (e.g., ]>&xxe;) should be flagged as potential exploitation attempts.
- →Successful exploitation of the Confluence XSLT SSRF is indicated by a 200 response containing the string 'contextConfigLocation' in the body, combined with an outbound HTTP callback to the attacker's interactsh/OOB server.
- →The node-ip SSRF bypass chain is incomplete across multiple CVEs: CVE-2023-42282 → CVE-2024-29415 → CVE-2025-59436/CVE-2025-59437. Additional bypass values include octal 017700000001 and integer 0 (interpreted as 0.0.0.0/127.0.0.1 on some OS/app combinations). ↗
- ·The Confluence XSLT SSRF (CVE-2024-29415 as mapped in DOC 2) requires the attacker to be authenticated (PR:L). Unauthenticated exploitation is not indicated by the available sources.
- ·Red Hat notes that npm does not utilize the bundled node-ip code, so Red Hat Enterprise Linux is not affected by this vulnerability in its standard Node.js packages. ↗
- ·The node-ip isPublic bypass for integer value 0 (CVE-2025-59437) is OS- and application-version-dependent: some environments block connections to 0/0.0.0.0 with ERR_ADDRESS_INVALID, while others route them to 127.0.0.1. ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
ip: Node ip SSRF
vendor_redhat·2025-09-16·CVSS 8.1
CVE-2025-59436 [HIGH] CWE-918 ip: Node ip SSRF
ip: Node ip SSRF
The ip (aka node-ip) package through 2.0.1 (in NPM) might allow SSRF because the IP address value 017700000001 is improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2024-29415.
A potential SSRF vector has been discovered in the node ip package (ip on npm). The issue is that the value `0` is improperly categorized as globally routable via the isPublic function.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Package: io.cryostat-cryostat (Cryostat 4) - Fix deferred
Package: multicluster-engine/console-mce-rh
Debian
CVE-2025-59437: node-ip - The ip (aka node-ip) package through 2.0.1 (in NPM) might allow SSRF because the...
vendor_debian·2025·CVSS 8.1
CVE-2025-59437 [HIGH] CVE-2025-59437: node-ip - The ip (aka node-ip) package through 2.0.1 (in NPM) might allow SSRF because the...
The ip (aka node-ip) package through 2.0.1 (in NPM) might allow SSRF because the IP address value 0 is improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2024-29415. NOTE: in current versions of several applications, connection attempts to the IP address 0 (interpreted as 0.0.0.0) are blocked with error messages such as net::ERR_ADDRESS_INVALID. However, in some situations that depend on both application version and operating system, connection attempts to 0 and 0.0.0.0 are considered connection attempts to 127.0.0.1 (and, for this reason, a false value of isPublic would be preferable).
Scope: local
bookworm: resolved
bullseye: resolved
forky: open
sid: open
trixie: open
Debian
CVE-2025-59436: node-ip - The ip (aka node-ip) package through 2.0.1 (in NPM) might allow SSRF because the...
vendor_debian·2025·CVSS 8.1
CVE-2025-59436 [HIGH] CVE-2025-59436: node-ip - The ip (aka node-ip) package through 2.0.1 (in NPM) might allow SSRF because the...
The ip (aka node-ip) package through 2.0.1 (in NPM) might allow SSRF because the IP address value 017700000001 is improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2024-29415.
Scope: local
bookworm: resolved
bullseye: resolved
forky: open
sid: open
trixie: open
Red Hat
node-ip: Incomplete fix for CVE-2023-42282
vendor_redhat·2024-02-20·CVSS 9.8
CVE-2024-29415 [CRITICAL] CWE-918 node-ip: Incomplete fix for CVE-2023-42282
node-ip: Incomplete fix for CVE-2023-42282
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.
A flaw was found in node-ip. The fix for CVE-2023-42282 in the ip package for Node.js was incomplete, and the issue may still be triggered using some IP addresses.
Statement: For CVE-2023-42282, npm does not utilize the bundled code, therefore Red Hat Enterprise Linux is not affected by this vulnerability.
Mitigation: Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria co
Debian
CVE-2024-29415: node-ip - The ip package through 2.0.1 for Node.js might allow SSRF because some IP addres...
vendor_debian·2024·CVSS 9.8
CVE-2024-29415 [CRITICAL] CVE-2024-29415: node-ip - The ip package through 2.0.1 for Node.js might allow SSRF because some IP addres...
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 2.0.1+~1.1.3-3)
sid: resolved (fixed in 2.0.1+~1.1.3-3)
trixie: resolved (fixed in 2.0.1+~1.1.3-3)
OSV
CVE-2025-59437: The ip (aka node-ip) package through 2
osv·2025-09-16·CVSS 8.1
CVE-2025-59437 [HIGH] CVE-2025-59437: The ip (aka node-ip) package through 2
The ip (aka node-ip) package through 2.0.1 (in NPM) might allow SSRF because the IP address value 0 is improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2024-29415. NOTE: in current versions of several applications, connection attempts to the IP address 0 (interpreted as 0.0.0.0) are blocked with error messages such as net::ERR_ADDRESS_INVALID. However, in some situations that depend on both application version and operating system, connection attempts to 0 and 0.0.0.0 are considered connection attempts to 127.0.0.1 (and, for this reason, a false value of isPublic would be preferable).
GHSA
GHSA-vvh3-7x7m-53xf: The ip (aka node-ip) package through 2
ghsa_unreviewed·2025-09-16·CVSS 8.1
CVE-2025-59437 [HIGH] CWE-918 GHSA-vvh3-7x7m-53xf: The ip (aka node-ip) package through 2
The ip (aka node-ip) package through 2.0.1 (in NPM) might allow SSRF because the IP address value 0 is improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2024-29415. NOTE: in current versions of several applications, connection attempts to the IP address 0 (interpreted as 0.0.0.0) are blocked with error messages such as net::ERR_ADDRESS_INVALID. However, in some situations that depend on both application version and operating system, connection attempts to 0 and 0.0.0.0 are considered connection attempts to 127.0.0.1 (and, for this reason, a false value of isPublic would be preferable).
OSV
CVE-2025-59436: The ip (aka node-ip) package through 2
osv·2025-09-16·CVSS 8.1
CVE-2025-59436 [HIGH] CVE-2025-59436: The ip (aka node-ip) package through 2
The ip (aka node-ip) package through 2.0.1 (in NPM) might allow SSRF because the IP address value 017700000001 is improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2024-29415.
GHSA
GHSA-qf5v-q897-m77r: The ip (aka node-ip) package through 2
ghsa_unreviewed·2025-09-16·CVSS 8.1
CVE-2025-59436 [HIGH] CWE-918 GHSA-qf5v-q897-m77r: The ip (aka node-ip) package through 2
The ip (aka node-ip) package through 2.0.1 (in NPM) might allow SSRF because the IP address value 017700000001 is improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2024-29415.
GHSA
ip SSRF improper categorization in isPublic
ghsa·2024-06-02·CVSS 9.8
CVE-2024-29415 [CRITICAL] CWE-918 ip SSRF improper categorization in isPublic
ip SSRF improper categorization in isPublic
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.
OSV
ip SSRF improper categorization in isPublic
osv·2024-06-02·CVSS 9.8
CVE-2024-29415 [CRITICAL] ip SSRF improper categorization in isPublic
ip SSRF improper categorization in isPublic
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.
OSV
CVE-2024-29415: The ip package through 2
osv·2024-05-27·CVSS 9.8
CVE-2024-29415 [CRITICAL] CVE-2024-29415: The ip package through 2
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.
No detection rules found.
Nuclei
Atlassian Confluence XSLT Macro - Server-Side Request Forgery
nuclei·CVSS 8.1
CVE-2024-29415 [HIGH] Atlassian Confluence XSLT Macro - Server-Side Request Forgery
Atlassian Confluence XSLT Macro - Server-Side Request Forgery
Atlassian Confluence Data Center and Server include an XSLT macro feature that may be vulnerable to Server-Side Request Forgery (SSRF). By leveraging the ability of the XSLT macro to access external resources, attackers can potentially cause the server to make HTTP requests to arbitrary URLs. This can allow internal network scanning, access to sensitive systems, or exposure of internal information.
Template:
id: confluence-xslt-macro-ssrf
info:
name: Atlassian Confluence XSLT Macro - Server-Side Request Forgery
author: ritikchaddha
severity: high
description: |
Atlassian Confluence Data Center and Server include an XSLT macro feature that may be vulnerable to Server-Side Request Forgery (SSRF). By leveraging the ability of t
Bleepingcomputer
Critical SAP flaw allows remote attackers to bypass authentication
blogs_bleepingcomputer·2024-08-13·CVSS 7.8
CVE-2024-41730 [HIGH] Critical SAP flaw allows remote attackers to bypass authentication
## Critical SAP flaw allows remote attackers to bypass authentication
## Bill Toulas
SAP has released its security patch package for August 2024, addressing 17 vulnerabilities, including a critical authentication bypass that could allow remote attackers to fully compromise the system.
The flaw, tracked as CVE-2024-41730 and rated 9.8 as per the CVSS v3.1 system, is a "missing authentication check" bug impacting SAP BusinessObjects Business Intelligence Platform versions 430 and 440 and is exploitable under certain conditions.
"In SAP BusinessObjects Business Intelligence Platform, if Single Signed On is enabled on Enterprise authentication, an unauthorized user can get a logon token using a REST endpoint," reads the vendor's description of the flaw.
"The attacker can fully compromise
Bugzilla
CVE-2024-29415 node-ip: Incomplete fix for CVE-2023-42282
bugzilla·2024-06-03·CVSS 9.8
CVE-2024-29415 [CRITICAL] CVE-2024-29415 node-ip: Incomplete fix for CVE-2023-42282
CVE-2024-29415 node-ip: Incomplete fix for CVE-2023-42282
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.
References:
https://github.com/indutny/node-ip/issues/150
https://github.com/indutny/node-ip/pull/143
https://github.com/indutny/node-ip/pull/144
Discussion:
Created golang-github-prometheus tracking bugs for this issue:
Affects: epel-all [bug 2284588]
Created magicmirror tracking bugs for this issue:
Affects: fedora-all [bug 2284589]
---
Created nodejs-ip tracking bugs for this issue:
Affects: epel-7 [bug 2294513]
---
This nod
https://github.com/indutny/node-ip/issues/150https://github.com/indutny/node-ip/pull/143https://github.com/indutny/node-ip/pull/144https://github.com/indutny/node-ip/issues/150https://github.com/indutny/node-ip/pull/143https://github.com/indutny/node-ip/pull/144https://security.netapp.com/advisory/ntap-20250117-0010/
2024-05-27
Published