Node.js ip package vulnerable to SSRF due to incomplete fix for CVE-2023-42282
CVE-2024-29415

8.1HIGH

Key Information:

Vendor
Node.js
Vendor
CVE Published:
27 May 2024

Badges

📰 News Worthy

Summary

The CVE-2024-29415 vulnerability affects the Node.js ip package through version 2.0.1, leaving it susceptible to SSRF attacks due to an incomplete fix for a previously identified vulnerability. This vulnerability could potentially allow attackers to execute commands and access personal identifiable information on millions of Cox modems, but there is no evidence of exploitation at this time. The NVD description lists specific IP addresses that are improperly categorized as globally routable, making them vulnerable to malicious activity. While the issue has been addressed, users of the affected package are encouraged to switch to safer, more actively maintained alternatives. The potential impact of CVE-2024-29415 highlights the importance of prompt mitigation to prevent unauthorized access and potential data breaches.

News Articles

favicon imageThe Cyber Express

SAP Update: Patches Fix Critical Flaws For Businesses

This month's SAP update addresses critical flaws that could allow attackers to bypass authentication and gain complete control of affected systems.

favicon image株式会社マキナレコード

研究者がCox製モデムの欠陥を発見、影響は数百万台に及んだ可能性 | Codebook|Security News

研究者がCox製モデムの欠陥を発見、影響は数百万台に及んだ可能性|CVE-2024-29415:人気Node.jsパッケージ「node-ip」で多数ユーザーがSSRF攻撃のリスクに晒される恐れ

References

https://github.com/indutny/node-ip/pull/143
https://github.com/indutny/node-ip/pull/144
https://github.com/indutny/node-ip/issues/150

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 📰

    First article discovered by 株式会社マキナレコード

  • Vulnerability published

.