CVE-2024-29415

The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.

References

Affected packages

Debian:11 / node-ip

Package

Name: node-ip
Purl: pkg:deb/debian/node-ip?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.1.5-5

1.1.5+~1.1.0-1

2.*

2.0.0+~1.1.0-1

2.0.1+~1.1.3-1

2.0.1+~1.1.3-2

2.0.1+~1.1.3-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / node-ip

Package

Name: node-ip
Purl: pkg:deb/debian/node-ip?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.0.0+~1.1.0-1

2.0.1+~1.1.3-1

2.0.1+~1.1.3-2

2.0.1+~1.1.3-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / node-ip

Package

Name: node-ip
Purl: pkg:deb/debian/node-ip?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.0.1+~1.1.3-3

Affected versions

2.*

2.0.0+~1.1.0-1

2.0.1+~1.1.3-1

2.0.1+~1.1.3-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/indutny/node-ip

Affected ranges

Type: GIT
Repo: https://github.com/indutny/node-ip
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

3b0994a74eca51df01f08c40d6a65ba0e1845d04

Affected versions

v0.*

v0.0.1

v0.0.2

v0.0.3

v0.0.4

v0.0.5

v0.1.0

v0.2.0

v0.3.0

v0.3.1

v0.3.2

v0.3.3

v0.3.4

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.1.0

v1.1.1

v1.1.2

v1.1.4

v1.1.5

v1.1.6

v2.*

v2.0.0

v2.0.1