CVE-2025-59436

EUVD-2025-29357
The ip (aka node-ip) package through 2.0.1 (in NPM) might allow SSRF because the IP address value 017700000001 is improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2024-29415.
SSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
mitreCNA
3.2 LOW
LOCAL
HIGH
NONE
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
fedorindutnyip
𝑥
≤ 2.0.1
CNA
Debian logo
Debian Releases
Debian Product
Codename
node-ip
bookworm
2.0.0+~1.1.0-1
fixed
bullseye
1.1.5-5
fixed
forky
vulnerable
sid
vulnerable
trixie
vulnerable
Common Weakness Enumeration
References
https://cosmosofcyberspace.github.io/CVE-Application-Document.html
https://github.com/indutny/node-ip/issues/160