You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
NPM IP package incorrectly identifies some private IP addresses as public
Low severity
GitHub Reviewed
Published
Feb 8, 2024
to the GitHub Advisory Database
•
Updated Jun 28, 2024
The isPublic() function in the NPM package ip doesn't correctly identify certain private IP addresses in uncommon formats such as 0x7F.1 as private. Instead, it reports them as public by returning true. This can lead to security issues such as Server-Side Request Forgery (SSRF) if isPublic() is used to protect sensitive code paths when passed user input. Versions 1.1.9 and 2.0.1 fix the issue.
The
isPublic()
function in the NPM packageip
doesn't correctly identify certain private IP addresses in uncommon formats such as0x7F.1
as private. Instead, it reports them as public by returningtrue
. This can lead to security issues such as Server-Side Request Forgery (SSRF) ifisPublic()
is used to protect sensitive code paths when passed user input. Versions 1.1.9 and 2.0.1 fix the issue.References