CVE-2024-29415

EUVD-2024-1886
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.
SSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.1 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 99%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
fedorindutnyip
𝑥
< 2.0.1
ADP
Debian logo
Debian Releases
Debian Product
Codename
node-ip
bookworm
no-dsa
bullseye
no-dsa
buster
postponed
forky
2.0.1+~1.1.3-3
fixed
sid
2.0.1+~1.1.3-3
fixed
trixie
2.0.1+~1.1.3-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
node-ip
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
mantic
ignored
noble
needs-triage
oracular
ignored
plucky
needs-triage
questing
needs-triage
Common Weakness Enumeration
References
https://github.com/indutny/node-ip/issues/150
https://github.com/indutny/node-ip/pull/143
https://github.com/indutny/node-ip/pull/144
https://github.com/indutny/node-ip/issues/150
https://github.com/indutny/node-ip/pull/143
https://github.com/indutny/node-ip/pull/144
https://security.netapp.com/advisory/ntap-20250117-0010/