Arbitrary Code Execution and Sensitive Information Theft via isPublic()
CVE-2023-42282

9.8CRITICAL

Key Information:

Vendor: NPM
Status: Ip
Vendor: CVE Published:; 8 February 2024

What is CVE-2023-42282?

The ip package prior to version 1.1.9 for Node.js is vulnerable to Server Side Request Forgery (SSRF) due to a flaw in how certain IP addresses are classified. Specifically, certain addresses, such as 0x7f.1, are incorrectly marked as publicly routable, which can lead to unauthorized access to internal resources. This vulnerability may allow attackers to send crafted requests that compromise network security and leverage internal systems, posing a significant risk to applications relying on the ip package for IP address management.

References

https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cv...

https://github.com/indutny/node-ip/commit/6a3ada9b471b09d...

https://huntr.com/bounties/bfc3b23f-ddc0-4ee7-afab-223b07...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 8, 2024
Vulnerability Reserved
Sep 8, 2023

CVE-2023-42282 Data

JSON

NPM

What is CVE-2023-42282?

References

CVSS V3.1

Timeline