CVE-2024-29415
📋 TL;DR
The ip package through version 2.0.1 for Node.js improperly categorizes certain IP address formats (like 127.1, 01200034567, and IPv6 variations) as globally routable via its isPublic() function, allowing Server-Side Request Forgery (SSRF) attacks. This affects any Node.js application using the vulnerable ip package version to validate IP addresses for security purposes. This is an incomplete fix for CVE-2023-42282.
💻 Affected Systems
- node-ip package
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could bypass IP validation to make internal network requests, potentially accessing sensitive internal services, exfiltrating data, or performing internal reconnaissance.
Likely Case
SSRF attacks allowing access to internal services that should be restricted, potentially leading to data exposure or internal service abuse.
If Mitigated
Limited impact if proper network segmentation and additional validation layers exist beyond the ip package.
🎯 Exploit Status
Exploitation requires the application to use isPublic() for security decisions. The GitHub issues show specific bypass examples.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.2
Vendor Advisory: https://github.com/indutny/node-ip/issues/150
Restart Required: Yes
Instructions:
1. Update package.json to specify 'ip': '^2.0.2'. 2. Run 'npm update ip' or 'yarn upgrade ip'. 3. Restart your Node.js application.
🔧 Temporary Workarounds
Implement custom IP validation
allAdd additional validation logic before relying on isPublic() function
🧯 If You Can't Patch
- Implement network-level controls to restrict outbound connections from application servers
- Add application-level validation using multiple methods beyond the ip package
🔍 How to Verify
Check if Vulnerable:
Check package.json or package-lock.json for ip package version ≤2.0.1Check Version:
npm list ip | grep ipVerify Fix Applied:
Verify ip package version is 2.0.2 or higher in package.json and test isPublic() with known bypass IPs📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from application servers to internal IP ranges
- Requests with unusual IP address formats
Network Indicators:
- Outbound connections from application servers to internal services that should be restricted
SIEM Query:
source='application_logs' AND (http_request LIKE '%127.1%' OR http_request LIKE '%01200034567%' OR http_request LIKE '%::fFFf:127.0.0.1%')🔗 References
- https://github.com/indutny/node-ip/issues/150
- https://github.com/indutny/node-ip/pull/143
- https://github.com/indutny/node-ip/pull/144
- https://github.com/indutny/node-ip/issues/150
- https://github.com/indutny/node-ip/pull/143
- https://github.com/indutny/node-ip/pull/144
- https://security.netapp.com/advisory/ntap-20250117-0010/
