[GHSA-78xj-cgh5-2h22] NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks

[dotboris]

Updates

• Affected products
• Description
• Severity
• Summary

Comments
The original report mentions remote code execution, private data exfiltration and SSRF. The issue in ip doesn't actually cause any of these. The core issue is that in some cases isPublic() reports some private ip addresses as public. If this function is used to protect critical code paths and is given user input then an attacker could do something to those critical code paths.

I believe that the original description and score are a bit alarmist giving the impression that everyone using the lib or even function is vulnerable when in reality the function has a bug if when used in secured context that can be an issue. I think that most projects that depend on this lib directly or transitively are not actually vulnerable in any way and having such a score and description generates un-needed panic and work for all their maintainers.

[matkoniecz]

I think that most projects that depend on this lib directly or transitively are not actually vulnerable in any way and having such a score and description generates un-needed panic and work for all their maintainers.

Also, they contribute to alarm fatigue. Next time when there will be report of ultra-critical security bug in js package and it will actually real many people will dismiss it as likely overstating things again and will not treat as super important.

See also https://overreacted.io/npm-audit-broken-by-design/

(and overly alarmist CVE are repeated and serious problem)

[darcien]

Small typo there

Suggested change

"details": "The `isPublic()` function of all published versions of the NPM package `ip` doesn't correctly identity certain private IP addresses in uncommon formats such as `0x7F.1` as private. Instead, it reports them as public by returning `true`. This can lead to security issues such as Server-Side Request Forgery (SSRF) if `isPublic()` is used to protect sensitive code paths when passed user input.",

"details": "The `isPublic()` function of all published versions of the NPM package `ip` doesn't correctly identify certain private IP addresses in uncommon formats such as `0x7F.1` as private. Instead, it reports them as public by returning `true`. This can lead to security issues such as Server-Side Request Forgery (SSRF) if `isPublic()` is used to protect sensitive code paths when passed user input.",

[nam-nguyen-clv]

LGTM,
and as discussed here indutny/node-ip#136, this issue really should be marked as lower severity

[JonathanLEvans]

Hi @dotboris thank you for your contribution. Unfortunately, we are unable to update the description of the CVE record because the ID was issued by MITRE. To get it updated, you need to contact MITRE using the "Request an update to an existing CVE Entry" form at  https://cveform.mitre.org/.

[matkoniecz]

Yes, description of CVE itself may not be changed here.

But it can be edited here to avoid repeating misleading claim.

Maybe add extra note that it is not repeating CVE blindly?

[advisory-database]

Hi @dotboris! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!