Bug 2284554 (CVE-2024-29415) - CVE-2024-29415 node-ip: Incomplete fix for CVE-2023-42282
Summary: CVE-2024-29415 node-ip: Incomplete fix for CVE-2023-42282
Keywords:
Status: NEW
Alias: CVE-2024-29415
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2284588 2284589 2284592 2294513
Blocks: 2284560
TreeView+ depends on / blocked
 
Reported: 2024-06-03 13:23 UTC by Pedro Sampaio
Modified: 2024-09-01 08:28 UTC (History)
110 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in node-ip. The fix for CVE-2023-42282 in the ip package for Node.js was incomplete, and the issue may still be triggered using some IP addresses.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Pedro Sampaio 2024-06-03 13:23:24 UTC
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.

References:

https://github.com/indutny/node-ip/issues/150
https://github.com/indutny/node-ip/pull/143
https://github.com/indutny/node-ip/pull/144

Comment 1 Pedro Sampaio 2024-06-03 13:55:56 UTC
Created golang-github-prometheus tracking bugs for this issue:

Affects: epel-all [bug 2284588]


Created magicmirror tracking bugs for this issue:

Affects: fedora-all [bug 2284589]

Comment 9 Dhananjay Arunesh 2024-06-27 10:51:22 UTC
Created nodejs-ip tracking bugs for this issue:

Affects: epel-7 [bug 2294513]

Comment 10 Elena Gilbert 2024-07-11 09:06:32 UTC
This node-ip bug (CVE-2024-29415) is wreaking havoc on my https://retrobowl.college web game! Just when I thought things were fixed (CVE-2023-42282), this pops up and is causing all sorts of issues.


Note You need to log in before you can comment on or make changes to this bug.