Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerability: express-ipfilter use Depends on vulnerable versions of ip package #159

Closed
DmytroShalaiev opened this issue Feb 14, 2024 · 10 comments

Comments

@DmytroShalaiev
Copy link

ip *
Severity: high
NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks - GHSA-78xj-cgh5-2h22
No fix available
node_modules/ip
express-ipfilter *
Depends on vulnerable versions of ip
node_modules/express-ipfilter

Снимок экрана 2024-02-14 в 12 37 46

@jetersen
Copy link
Owner

jetersen commented Feb 14, 2024

Not relevant, we do not use isPublic, see https://github.com/search?q=repo%3Ajetersen%2Fexpress-ipfilter%20isPublic&type=code

@DmytroShalaiev
Copy link
Author

Thanks for reply, I am about this package https://github.com/jetersen/express-ipfilter/blob/master/package.json#L78

@DmytroShalaiev
Copy link
Author

But seems there is no fix from https://github.com/indutny/node-ip

@jetersen
Copy link
Owner

But the vulnerability is only in there if you actively use isPublic
Please read the CVE.

@DmytroShalaiev
Copy link
Author

Oh, sure, I understood, thanks for the reply.

@odubuc
Copy link

odubuc commented Feb 19, 2024

This logic doesn't compute for me.
what is the downside to upgrade and get rid of false positive report ?

@jetersen
Copy link
Owner

Feel free to submit a PR. There are plenty of false positive.

@jetersen
Copy link
Owner

@odubuc
Copy link

odubuc commented Feb 21, 2024

Thanks will do next time. I misunderstood your comment

@jetersen
Copy link
Owner

@odubuc well you can read this: indutny/node-ip#136 (comment) it details the issue I have with this CVE

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants