First published: Thu Feb 08 2024(Updated: )
The `isPublic()` function in the NPM package `ip` doesn't correctly identify certain private IP addresses in uncommon formats such as `0x7F.1` as private. Instead, it reports them as public by returning `true`. This can lead to security issues such as Server-Side Request Forgery (SSRF) if `isPublic()` is used to protect sensitive code paths when passed user input. Versions 1.1.9 and 2.0.1 fix the issue.
Affected Software | Affected Version | How to fix |
---|---|---|
npm/ip | <1.1.9 | 1.1.9 |
npm/ip | =2.0.0 | 2.0.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.