The get-ip-range package before 4.0.0 for Node.js is vulnerable to denial of service (DoS) if the range is untrusted input. An attacker could send a large range (such as 128.0.0.0/1) that causes resource exhaustion.
{
"unresolved_ranges": [
{
"extracted_events": [
{
"fixed": "4.0.0"
}
],
"source": "CPE_RANGE",
"vendor_product": "get-ip-range_project:get-ip-range",
"cpes": [
"cpe:2.3:a:get-ip-range_project:get-ip-range:*:*:*:*:*:node.js:*:*"
]
},
{
"source": "DESCRIPTION",
"extracted_events": [
{
"fixed": "4.0.0"
}
]
}
]
}