Vulnerability DatabaseCVE-2023-42282

CVE-2023-42282:
JavaScript vulnerability analysis and mitigation

Overview

The ip package before version 1.1.9 for Node.js contains a vulnerability identified as CVE-2023-42282, discovered in late 2022. The vulnerability affects the package's isPublic() function, which incorrectly categorizes certain IP addresses (such as 0x7f.1) as globally routable when they are actually private addresses. This package, being one of the most popular IP address parsing utilities with 17 million weekly downloads on npmjs.com, has significant reach across the Node.js ecosystem (Bleeping Computer).

Technical details

The vulnerability stems from the ip.isPublic() function's inability to correctly interpret and classify non-standard IP address formats. Specifically, the function fails to recognize hexadecimal representations of private IP addresses, such as '0x7f.1' (which represents 127.1), incorrectly identifying them as public IP addresses. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

Impact

The vulnerability could potentially lead to Server-Side Request Forgery (SSRF) attacks when applications rely solely on the package's isPublic() function to validate IP addresses. This could result in unauthorized access to internal network resources, disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS) (NetApp Advisory).

Mitigation and workarounds

The vulnerability has been fixed in version 1.1.9 of the ip package. Users are advised to upgrade to this version or later to address the vulnerability. The fix includes proper handling of non-standard IP address formats in the isPublic() function (NVD).

Community reactions

The vulnerability has sparked significant discussion in the developer community, particularly regarding the severity rating. The project's maintainer, Fedor Indutny, ultimately archived the GitHub repository, making it read-only, due to the constant stream of messages about the CVE. This incident has contributed to a broader discussion about the CVE system and its impact on open-source maintainers (Bleeping Computer).

Additional resources

Source: This report was generated using AI

9.8

Score

Published February 8, 2024

Severity CRITICAL

CNA Score 9.8

Affected Technologies

JavaScript
npm

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 52.1

Exploitation Probability (EPSS) 0.3

Affected packages and libraries

npm
renovate

Sources

NVD
CBL-Mariner
- CBL-Mariner 2.0 Severity CRITICALHas FixAdded at: Mar 07, 2024
- CBL-Mariner 3.0 Severity CRITICALHas FixAdded at: May 04, 2025
Chainguard
- Chainguard Has FixAdded at: Feb 14, 2024
Debian Security Tracker
- Debian 10, 11, 12 Severity MEDIUMNo FixAdded at: Feb 11, 2024
- Debian 13 Severity CRITICALHas FixAdded at: Feb 11, 2024
GitHub Advisory Database
- npm Severity LOWHas FixAdded at: Feb 11, 2024
Nix
- Nix Severity CRITICALNo FixAdded at: Feb 15, 2024
Ubuntu Security Tracker
- Ubuntu 18.04, 20.04, 22.04, 23.10 Severity MEDIUMHas FixAdded at: Feb 20, 2024
- Ubuntu 24.04 Severity MEDIUMHas FixAdded at: May 06, 2024
- Ubuntu 24.10 Severity MEDIUMHas FixAdded at: Dec 10, 2024
- Ubuntu 25.04 Severity MEDIUMHas FixAdded at: May 08, 2025
Wolfi
- Wolfi Has FixAdded at: Feb 14, 2024