2284554 – (CVE-2024-29415) CVE-2024-29415 node-ip: Incomplete fix for CVE-2023-42282

Bug 2284554 (CVE-2024-29415) - CVE-2024-29415 node-ip: Incomplete fix for CVE-2023-42282

Summary: CVE-2024-29415 node-ip: Incomplete fix for CVE-2023-42282

Keywords:
Status:	NEW
Alias:	CVE-2024-29415
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2284588 2284589 2284592 2294513
Blocks:	2284560
TreeView+	depends on / blocked

Reported:	2024-06-03 13:23 UTC by Pedro Sampaio
Modified:	2025-04-18 08:27 UTC (History)
CC List:	122 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2024:10236	0	None	None	None	2024-11-25 18:24:44 UTC

Description Pedro Sampaio 2024-06-03 13:23:24 UTC

The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.

References:

https://github.com/indutny/node-ip/issues/150
https://github.com/indutny/node-ip/pull/143
https://github.com/indutny/node-ip/pull/144

Comment 1 Pedro Sampaio 2024-06-03 13:55:56 UTC

Created golang-github-prometheus tracking bugs for this issue:

Affects: epel-all [bug 2284588]


Created magicmirror tracking bugs for this issue:

Affects: fedora-all [bug 2284589]

Comment 9 Dhananjay Arunesh 2024-06-27 10:51:22 UTC

Created nodejs-ip tracking bugs for this issue:

Affects: epel-7 [bug 2294513]

Comment 10 Elena Gilbert 2024-07-11 09:06:32 UTC

This node-ip bug (CVE-2024-29415) is wreaking havoc on my https://retrobowl.college web game! Just when I thought things were fixed (CVE-2023-42282), this pops up and is causing all sorts of issues.

Comment 12 errata-xmlrpc 2024-11-25 18:24:37 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Dev Spaces 3 Containers

Via RHSA-2024:10236 https://access.redhat.com/errata/RHSA-2024:10236

Note You need to log in before you can comment on or make changes to this bug.

aazores
abarbaro
akostadi
alcohan
amasferr
amctagga
anjoseph
asoldano
bbaranow
bbuckingham
bcourt
bdettelb
bmaxwell
brian.stansberry
caswilli
cbartlet
cdaley
cdewolf
chazlett
cmah
cmiranda
darran.lofthouse
dfreiber
dhanak
dkreling
dkuc
dmayorov
doconnor
dosoudil
drow
eaguilar
ebaron
ecerquei
ehelms
eric.wittmann
fjansen
fjuma
ggainey
gkamathe
gmalinko
gparvin
gtanzill
hhorak
hkataria
ibek
istudens
ivassile
iweiss
janstey
jburrell
jcantril
jchui
jhe
jkang
jlledo
jolong
jorton
jpallich
jprabhak
jrokos
jshaughn
jsherril
juwatts
jwendell
kaycoth
kshier
ktsao
kverlaen
lbainbri
lgao
lzap
mhulan
mkudlej
mmakovy
mnovotny
mosmerov
msochure
mstefank
msvehla
mwringe
nbecker
nboldt
nipatil
njean
nmoumoul
nodejs-maint
nwallace
orabin
owatkins
pahickey
pantinor
parichar
pcongius
pcreech
pdelbell
pesilva
pjindal
pmackay
psrna
rcernich
rchan
retrobowlgame.college
rguimara
rhaigner
rkubis
rojacob
rstancel
rstepani
rtaniwa
sdawley
sfroberg
sidakwo
smaestri
smallamp
tasato
teagle
tjochec
tkral
tom.jenkinson
twalsh
vkumar
wtam