Headline
GHSA-78xj-cgh5-2h22: NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks
An issue in NPM IP Package v.1.1.8 and before allows an attacker to execute arbitrary code and obtain sensitive information via the isPublic() function. This can lead to potential Server-Side Request Forgery (SSRF) attacks. The core issue is the function’s failure to accurately distinguish between public and private IP addresses.
NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks
High severity GitHub Reviewed Published Feb 8, 2024 to the GitHub Advisory Database • Updated Feb 9, 2024
Related news
Red Hat Security Advisory 2024-3868-03 - Network Observability 1.6 for Red Hat OpenShift. Issues addressed include code execution, denial of service, memory exhaustion, and password leak vulnerabilities.
Red Hat Security Advisory 2024-3550-03 - HawtIO 4.0.0 for Red Hat build of Apache Camel 4 GA Release is now available. Issues addressed include code execution, denial of service, and password leak vulnerabilities.
Ubuntu Security Notice 6643-1 - Emre Durmaz discovered that NPM IP package incorrectly distinguished between private and public IP addresses. A remote attacker could possibly use this issue to perform Server-Side Request Forgery attacks.