Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[GHSA-78xj-cgh5-2h22] NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks #3531

Conversation

dotboris
Copy link

Updates

  • Affected products
  • Description
  • Severity
  • Summary

Comments
The original report mentions remote code execution, private data exfiltration and SSRF. The issue in ip doesn't actually cause any of these. The core issue is that in some cases isPublic() reports some private ip addresses as public. If this function is used to protect critical code paths and is given user input then an attacker could do something to those critical code paths.

I believe that the original description and score are a bit alarmist giving the impression that everyone using the lib or even function is vulnerable when in reality the function has a bug if when used in secured context that can be an issue. I think that most projects that depend on this lib directly or transitively are not actually vulnerable in any way and having such a score and description generates un-needed panic and work for all their maintainers.

@github-actions github-actions bot changed the base branch from main to dotboris/advisory-improvement-3531 February 14, 2024 00:10
@matkoniecz
Copy link

matkoniecz commented Feb 14, 2024

I think that most projects that depend on this lib directly or transitively are not actually vulnerable in any way and having such a score and description generates un-needed panic and work for all their maintainers.

Also, they contribute to alarm fatigue. Next time when there will be report of ultra-critical security bug in js package and it will actually real many people will dismiss it as likely overstating things again and will not treat as super important.

See also https://overreacted.io/npm-audit-broken-by-design/

(and overly alarmist CVE are repeated and serious problem)

"summary": "NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks",
"details": "An issue in all published versions of the NPM package `ip` allows an attacker to execute arbitrary code and obtain sensitive information via the `isPublic()` function. This can lead to potential Server-Side Request Forgery (SSRF) attacks. The core issue is the function's failure to accurately distinguish between public and private IP addresses.",
"summary": "NPM IP package incorrectly identifies some private IP addresses as public",
"details": "The `isPublic()` function of all published versions of the NPM package `ip` doesn't correctly identity certain private IP addresses in uncommon formats such as `0x7F.1` as private. Instead, it reports them as public by returning `true`. This can lead to security issues such as Server-Side Request Forgery (SSRF) if `isPublic()` is used to protect sensitive code paths when passed user input.",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Small typo there

Suggested change
"details": "The `isPublic()` function of all published versions of the NPM package `ip` doesn't correctly identity certain private IP addresses in uncommon formats such as `0x7F.1` as private. Instead, it reports them as public by returning `true`. This can lead to security issues such as Server-Side Request Forgery (SSRF) if `isPublic()` is used to protect sensitive code paths when passed user input.",
"details": "The `isPublic()` function of all published versions of the NPM package `ip` doesn't correctly identify certain private IP addresses in uncommon formats such as `0x7F.1` as private. Instead, it reports them as public by returning `true`. This can lead to security issues such as Server-Side Request Forgery (SSRF) if `isPublic()` is used to protect sensitive code paths when passed user input.",

Copy link

@nam-nguyen-clv nam-nguyen-clv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM,
and as discussed here indutny/node-ip#136, this issue really should be marked as lower severity

@JonathanLEvans
Copy link

Hi @dotboris thank you for your contribution. Unfortunately, we are unable to update the description of the CVE record because the ID was issued by MITRE. To get it updated, you need to contact MITRE using the "Request an update to an existing CVE Entry" form at  https://cveform.mitre.org/.

@matkoniecz
Copy link

Yes, description of CVE itself may not be changed here.

But it can be edited here to avoid repeating misleading claim.

Maybe add extra note that it is not repeating CVE blindly?

@advisory-database advisory-database bot merged commit acb67ee into dotboris/advisory-improvement-3531 Feb 20, 2024
2 checks passed
@advisory-database
Copy link
Contributor

Hi @dotboris! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

@advisory-database advisory-database bot deleted the dotboris-GHSA-78xj-cgh5-2h22 branch February 20, 2024 18:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants