CVE-2024-29415 — ip SSRF improper categorization in isPublic

Description

The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.

How to fix CVE-2024-29415

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed
—no fix listed

Is CVE-2024-29415 being exploited?

Likely — EPSS is 84.3%, placing CVE-2024-29415 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (2)

from 0
from 0, <= 2.0.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.1	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-29415
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-29415
PATCHgithub.com/indutny/node-ip
WEBgithub.com/indutny/node-ip/issues/150
WEBgithub.com