The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282. References: https://github.com/indutny/node-ip/issues/150 https://github.com/indutny/node-ip/pull/143 https://github.com/indutny/node-ip/pull/144
Created golang-github-prometheus tracking bugs for this issue: Affects: epel-all [bug 2284588] Created magicmirror tracking bugs for this issue: Affects: fedora-all [bug 2284589]
Created nodejs-ip tracking bugs for this issue: Affects: epel-7 [bug 2294513]
This node-ip bug (CVE-2024-29415) is wreaking havoc on my https://retrobowl.college web game! Just when I thought things were fixed (CVE-2023-42282), this pops up and is causing all sorts of issues.