Vulnerability

CVE-2023-42282

 Report advisory or correction

CVSS Score 9.8 critical

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-918

References

https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html
https://github.com/advisories/GHSA-78xj-cgh5-2h22
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42282

[CVE-2023-42282] CWE-918: Server-Side Request Forgery (SSRF)

Description

The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.

See ip package information