🚨 HIGH Severity Vulnerability: Package unsafe for use as of v1.1.8 🚨

[taylorjdawson]

Until PR is merge to mitigate this attack vector, package should be deemed unsafe for use.

NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks, see GitHub advisory for more information.

[carnil]

CVE-2023-42282 is associated with this issue, mentioning it for cross-reference as well.

[glitch-txs]

@indutny any update on this?

[levpachmanov]

Hi @taylorjdawson @carnil @glitch-txs,

Notice that ip@2.0.0 is affected by CVE-2023-42282 - github/advisory-database#3504

We're part of a startup called Seal Security that mitigates software vulnerabilities in older open source versions by backporting/creating standalone security patches - enabling more straightforward remediation in cases like this. We created an ip 1.1.8-sp and 2.0.0-sp1 that's vulnerability-free. As with all of our patches, it's open-source and available for free.

If relevant, check out our GitHub repo if you wish to learn more, or start using our app.

Please feel free to reach us at info@seal.security if you have any requests/questions.

[mukitmomin]

Looks like there is an open PR: #138 that fixes this issue. Any timeline on when it will be merged and released?

[damonholden]

Any update on this?

[aminekun90]

Any update on this?

There is an open PR for this ... --'

[levpachmanov]

@mukitmomin @damonholden @aminekun90 notice @mnikolaus 's comment on #138 that the current PR covers only a limited number of cases and as @n0099 mentioned there are many other options

[damonholden]

Are there any known workarounds then? We've had to move our project to critical vulnerability blockers only for this.

[aminekun90]

Are there any known workarounds then? We've had to move our project to critical vulnerability blockers only for this.

For our project we unfortunately got rid of the library using node-ip

[levpachmanov]

@damonholden - as others suggested you might try getting rid of node-ip. Alternatively we (Seal Security) released a patch that we believe covers all the cases. You can check out or our GitHub repo and our app - it's free to use for open source projects.

[dchambers]

We're part of a startup called Seal Security that mitigates software vulnerabilities in older open source versions by backporting/creating standalone security patches

@levpachmanov, may I ask, was it also your team that reported the issue to NIST in the first place?

[levpachmanov]

@dchambers no, the credit goes to @cosmosofcyberspace AFAIK. We have only suggested updating the affected version range of the advisory (even though @G-Rath did it first) and trying to help the community remediate the risk.

[dotboris]

I feel that this CVE is less critical than it's made to appear and that this issue (title + description) are a bit alarmist.

What's going on here is that the isPublic(...) function from this package has a bug. It fails to recognize some ips in hex format as private. This doesn't make it a security issue in its own right.

The advisory labels this a high and talks of remote code execution, information disclosure and server-side request forgery. None of that is true when you look at ip in isolation.

You're only vulnerable to anything remotely close to what the advisory talks about if:

• You have a vulnerable version of ip in your deps
• and you or your dependencies use the isPublic() function
• and that function is used to guard something sensitive
• and the input you pass to isPublic() is user input

Only then, you have a problem.

If you've somehow landed here because your favourite / work imposed security tool is raising an alarm about this, you're probably fine. I suggest that you check for yourself to see if your code is affect. It most likely isn't.

I personally did this by searching for isPublic( in my code and node_modules and found nothing to be alarmed about.