2395629 – (CVE-2025-59436) CVE-2025-59436 ip: Node ip SSRF

Bug 2395629 (CVE-2025-59436) - CVE-2025-59436 ip: Node ip SSRF

Summary: CVE-2025-59436 ip: Node ip SSRF

Keywords:
Status:	NEW
Alias:	CVE-2025-59436
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2395925 2395926 2395927
Blocks:
TreeView+	depends on / blocked

Reported:	2025-09-16 03:01 UTC by OSIDB Bzimport
Modified:	2025-09-16 20:08 UTC (History)
CC List:	60 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-09-16 03:01:13 UTC

The ip (aka node-ip) package through 2.0.1 (in NPM) might allow SSRF because the IP address value 017700000001 is improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2024-29415.

Note You need to log in before you can comment on or make changes to this bug.

aazores
alcohan
anjoseph
asoldano
bbaranow
bdettelb
bmaxwell
brian.stansberry
caswilli
cmah
darran.lofthouse
dhanak
dkreling
doconnor
dosoudil
drosa
dsimansk
eaguilar
ebaron
eric.wittmann
fjuma
gmalinko
gparvin
ibek
istudens
ivassile
iweiss
janstey
jolong
jprabhak
jrokos
kaycoth
kingland
kverlaen
manissin
matzew
mnovotny
mosmerov
msochure
msvehla
nipatil
njean
nwallace
owatkins
pahickey
pantinor
pdelbell
pesilva
pjindal
pmackay
rhaigner
rkubis
rstancel
rstepani
sausingh
sdawley
smaestri
teagle
tom.jenkinson
wtam