CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-29415: The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and...

Description

The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.

Classification

CVE ID: CVE-2024-29415

Affected Products

Vendor: n/a

Product: n/a

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.06% (probability of being exploited)

EPSS Percentile: 29.12% (scored less or equal to compared to others)

EPSS Date: 2025-02-15 (when was this score calculated)

References

https://github.com/indutny/node-ip/pull/143
https://github.com/indutny/node-ip/pull/144
https://github.com/indutny/node-ip/issues/150

Timeline

2025-01-18 00:30:18 UTC
CVE

The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and...