CVE-2023-42282 – The ip package for Node.js before version 1.1.9... (How to Fix)

Q: How do I fix CVE-2023-42282?

1. Update package.json to specify 'ip': '^1.1.9'. 2. Run 'npm update ip' or 'yarn upgrade ip'. 3. Restart your Node.js application.

Q: What is the severity of CVE-2023-42282?

CVE-2023-42282 has a CVSS score of 9.8 (CRITICAL). The ip package for Node.js before version 1.1.9 incorrectly categorizes certain IP address formats (like 0x7f.1) as globally routable via the isPublic() function. This allows Server-Side Request Forgery (SSRF) attacks where attackers can bypass IP validation and make requests to internal network resources. Any Node.js application using the vulnerable ip package for IP validation is affected.

📋 TL;DR

The ip package for Node.js before version 1.1.9 incorrectly categorizes certain IP address formats (like 0x7f.1) as globally routable via the isPublic() function. This allows Server-Side Request Forgery (SSRF) attacks where attackers can bypass IP validation and make requests to internal network resources. Any Node.js application using the vulnerable ip package for IP validation is affected.

💻 Affected Systems

Products:

Node.js applications using the 'ip' npm package

Versions: ip package versions < 1.1.9

Operating Systems: All platforms running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using the isPublic() function for IP validation. The vulnerability is in the library itself, not Node.js core.

📦 What is this software?

Ip by Fedorindutny

View all CVEs affecting Ip →

Ip by Fedorindutny

View all CVEs affecting Ip →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access sensitive internal services, cloud metadata endpoints, or administrative interfaces, potentially leading to data exfiltration, privilege escalation, or internal network compromise.

🟠

Likely Case

SSRF attacks bypassing IP validation controls to access internal HTTP services, APIs, or metadata endpoints that should be restricted.

🟢

If Mitigated

Limited impact if additional network segmentation, egress filtering, or request validation layers exist beyond the ip package.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof of concept available in public references. Exploitation requires an application endpoint that uses isPublic() for validation and makes HTTP requests based on that validation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: ip package version 1.1.9

Vendor Advisory: https://github.com/indutny/node-ip/commit/6a3ada9b471b09d5f0f5be264911ab564bf67894

Restart Required: Yes

Instructions:

1. Update package.json to specify 'ip': '^1.1.9'. 2. Run 'npm update ip' or 'yarn upgrade ip'. 3. Restart your Node.js application.

🔧 Temporary Workarounds

Manual IP validation

all

Implement custom IP validation logic that doesn't rely solely on the ip package's isPublic() function

Network egress filtering

all

Configure firewalls to restrict outbound connections from application servers to only necessary external destinations

🧯 If You Can't Patch

Implement request validation at the application level to reject malformed IP addresses before passing to ip package
Deploy network controls to restrict application server access to internal resources and metadata endpoints

🔍 How to Verify

Check if Vulnerable:

Check package.json or node_modules/ip/package.json for version < 1.1.9

Check Version:

npm list ip | grep ip@ or node -e "console.log(require('ip/package.json').version)"

Verify Fix Applied:

Verify ip package version is 1.1.9 or higher in package.json and node_modules

📡 Detection & Monitoring

Log Indicators:

Unusual outbound HTTP requests from application servers
Requests to internal IP addresses or metadata endpoints

Network Indicators:

HTTP requests with unusual IP formats in destination fields
Traffic from application servers to restricted internal networks

SIEM Query:

source='application_logs' AND (dest_ip LIKE '%.%' OR dest_ip LIKE '0x%') AND action='outbound_request'

📊 Metadata

CVE ID: CVE-2023-42282

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-918

Published: February 8, 2024

Last Updated: May 15, 2025

🔗 References

https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html Exploit,Third Party Advisory
https://github.com/indutny/node-ip/commit/6a3ada9b471b09d5f0f5be264911ab564bf67894 Patch
https://huntr.com/bounties/bfc3b23f-ddc0-4ee7-afab-223b07115ed3/ Exploit,Technical Description
https://security.netapp.com/advisory/ntap-20240315-0008/ Third Party Advisory
https://www.bleepingcomputer.com/news/security/dev-rejects-cve-severity-makes-his-github-repo-read-only/ Press/Media Coverage
https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html Exploit,Third Party Advisory
https://github.com/indutny/node-ip/commit/6a3ada9b471b09d5f0f5be264911ab564bf67894 Patch
https://huntr.com/bounties/bfc3b23f-ddc0-4ee7-afab-223b07115ed3/ Exploit,Technical Description
https://security.netapp.com/advisory/ntap-20240315-0008/ Third Party Advisory
https://www.bleepingcomputer.com/news/security/dev-rejects-cve-severity-makes-his-github-repo-read-only/ Press/Media Coverage

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-42282, you might also want to check these: