CVE-2024-29415: ip SSRF improper categorization in isPublic

June 2, 2024

The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.

References

github.com/advisories/GHSA-2p57-rm9w-gvfp
github.com/indutny/node-ip
github.com/indutny/node-ip/issues/150
github.com/indutny/node-ip/pull/143
github.com/indutny/node-ip/pull/144
nvd.nist.gov/vuln/detail/CVE-2024-29415

Detect and mitigate CVE-2024-29415 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →