-
Notifications
You must be signed in to change notification settings - Fork 342
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[GHSA-78xj-cgh5-2h22] NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks #3531
[GHSA-78xj-cgh5-2h22] NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks #3531
Conversation
Also, they contribute to alarm fatigue. Next time when there will be report of ultra-critical security bug in js package and it will actually real many people will dismiss it as likely overstating things again and will not treat as super important. See also https://overreacted.io/npm-audit-broken-by-design/ (and overly alarmist CVE are repeated and serious problem) |
"summary": "NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks", | ||
"details": "An issue in all published versions of the NPM package `ip` allows an attacker to execute arbitrary code and obtain sensitive information via the `isPublic()` function. This can lead to potential Server-Side Request Forgery (SSRF) attacks. The core issue is the function's failure to accurately distinguish between public and private IP addresses.", | ||
"summary": "NPM IP package incorrectly identifies some private IP addresses as public", | ||
"details": "The `isPublic()` function of all published versions of the NPM package `ip` doesn't correctly identity certain private IP addresses in uncommon formats such as `0x7F.1` as private. Instead, it reports them as public by returning `true`. This can lead to security issues such as Server-Side Request Forgery (SSRF) if `isPublic()` is used to protect sensitive code paths when passed user input.", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Small typo there
"details": "The `isPublic()` function of all published versions of the NPM package `ip` doesn't correctly identity certain private IP addresses in uncommon formats such as `0x7F.1` as private. Instead, it reports them as public by returning `true`. This can lead to security issues such as Server-Side Request Forgery (SSRF) if `isPublic()` is used to protect sensitive code paths when passed user input.", | |
"details": "The `isPublic()` function of all published versions of the NPM package `ip` doesn't correctly identify certain private IP addresses in uncommon formats such as `0x7F.1` as private. Instead, it reports them as public by returning `true`. This can lead to security issues such as Server-Side Request Forgery (SSRF) if `isPublic()` is used to protect sensitive code paths when passed user input.", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM,
and as discussed here indutny/node-ip#136, this issue really should be marked as lower severity
Hi @dotboris thank you for your contribution. Unfortunately, we are unable to update the description of the CVE record because the ID was issued by MITRE. To get it updated, you need to contact MITRE using the "Request an update to an existing CVE Entry" form at https://cveform.mitre.org/. |
Yes, description of CVE itself may not be changed here. But it can be edited here to avoid repeating misleading claim. Maybe add extra note that it is not repeating CVE blindly? |
acb67ee
into
dotboris/advisory-improvement-3531
Hi @dotboris! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
Updates
Comments
The original report mentions remote code execution, private data exfiltration and SSRF. The issue in
ip
doesn't actually cause any of these. The core issue is that in some casesisPublic()
reports some private ip addresses as public. If this function is used to protect critical code paths and is given user input then an attacker could do something to those critical code paths.I believe that the original description and score are a bit alarmist giving the impression that everyone using the lib or even function is vulnerable when in reality the function has a bug if when used in secured context that can be an issue. I think that most projects that depend on this lib directly or transitively are not actually vulnerable in any way and having such a score and description generates un-needed panic and work for all their maintainers.