CVE-2024-28607: The ip-utils package through 2.4.0 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally...

2.9 CVSS

Description

The ip-utils package through 2.4.0 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via a falsy isPrivate return value.

Classification

CVE ID: CVE-2024-28607

CVSS Base Severity: LOW

CVSS Base Score: 2.9

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Problem Types

CWE-180 Incorrect Behavior Order: Validate Before Canonicalize

Affected Products

Vendor: librasean

Product: IP-Utils

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 1.87% (scored less or equal to compared to others)

EPSS Date: 2025-04-09 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2024-28607
https://github.com/librasean/IP-Utils/blob/4f88799f94f21efe6ea9135129ab2bbeb0c58edc/src/IsPrivate.ts#L4
https://gist.github.com/aydinnyunus/4d71e7d9a433f3afc658724b903f4d23

Timeline

2025-03-11 09:40:18 UTC
CVE

The ip-utils package through 2.4.0 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally...