Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-78xj-cgh5-2h22: NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks

An issue in NPM IP Package v.1.1.8 and before allows an attacker to execute arbitrary code and obtain sensitive information via the isPublic() function. This can lead to potential Server-Side Request Forgery (SSRF) attacks. The core issue is the function’s failure to accurately distinguish between public and private IP addresses.

ghsa
#nodejs#git#ssrf

NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks

High severity GitHub Reviewed Published Feb 8, 2024 to the GitHub Advisory Database • Updated Feb 9, 2024

Related news

Red Hat Security Advisory 2024-3868-03

Red Hat Security Advisory 2024-3868-03 - Network Observability 1.6 for Red Hat OpenShift. Issues addressed include code execution, denial of service, memory exhaustion, and password leak vulnerabilities.

Red Hat Security Advisory 2024-3550-03

Red Hat Security Advisory 2024-3550-03 - HawtIO 4.0.0 for Red Hat build of Apache Camel 4 GA Release is now available. Issues addressed include code execution, denial of service, and password leak vulnerabilities.

Ubuntu Security Notice USN-6643-1

Ubuntu Security Notice 6643-1 - Emre Durmaz discovered that NPM IP package incorrectly distinguished between private and public IP addresses. A remote attacker could possibly use this issue to perform Server-Side Request Forgery attacks.