Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2024-29415
CVE-2024-29415:
JavaScript vulnerability analysis and mitigation
Overview
The ip package through 2.0.1 for Node.js contains a significant security vulnerability (CVE-2024-29415) that could potentially lead to Server-Side Request Forgery (SSRF) attacks. The vulnerability stems from improper categorization of certain IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) as globally routable via the isPublic function. This issue exists due to an incomplete fix for a previous vulnerability, CVE-2023-42282 (Security Online, NVD).
Technical details
The vulnerability lies in the isPublic() function's flawed implementation, which incorrectly identifies certain private IP addresses as public. The root cause is attributed to the API design itself, which does not return normalized parsing results, leading to parser discrepancies when users rely on the original, potentially malformed input. The vulnerability has received a CVSS v3.1 base score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (NetApp Advisory).
Impact
Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). The package, which has over 19 million downloads each week, exposes applications to potential SSRF attacks when the isPublic()/isPrivate()/isLoopback() functions are used to guard outgoing network requests (Security Online).
Mitigation and workarounds
As of now, no official patch has been applied to the original node-ip package, though a proposed patch is available in pull request #144 on the package's GitHub repository. Given the package's lack of active maintenance, users are strongly advised to migrate to alternative packages that offer similar functionalities with better support and active development. For those who must continue using the package, it is crucial to thoroughly review their codebase to ensure that the isPublic(), isPrivate(), and isLoopback() functions are not used to guard sensitive network requests (Security Online).
Community reactions
The security community has expressed concern about the package's maintenance status, with multiple security researchers and users calling for urgent action. The package maintainer has been noted as unresponsive to recent issues, leading to recommendations for users to switch to alternative, actively maintained libraries (GitHub PR).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management