CVE-2020-28360
Insufficient RegEx vulnerability in private-ip (npm)
What is CVE-2020-28360 About?
This vulnerability involves Insufficient RegEx in the `private-ip` npm package, which fails to properly filter reserved IP ranges, leading to Server-Side Request Forgery (SSRF). Attackers can leverage this to make requests to internal resources, potentially enabling server-side attacks. Exploitation is relatively straightforward for an attacker who can control input to the package.
Affected Software
Technical Details
The private-ip npm package versions 1.0.5 and below contain an insufficient regular expression (RegEx) that inadequately filters out reserved IP ranges. This flaw allows an attacker to bypass intended restrictions and direct server-side requests to ARIN reserved IP addresses that are typically considered private or internal. By crafting specific input that is not properly validated by the RegEx, an attacker can trick the server into making requests to arbitrary internal network resources, facilitating SSRF attacks. This opens avenues for requesting server-side resources or potentially executing arbitrary code through various SSRF techniques.
What is the Impact of CVE-2020-28360?
Successful exploitation may allow attackers to access internal network resources, bypass network segmentation, and potentially compromise internal services, leading to data exposure or remote code execution.
What is the Exploitability of CVE-2020-28360?
Exploitation is likely of medium complexity, requiring the attacker to control input passed to the private-ip package. There are no explicit authentication or privilege requirements mentioned, suggesting it could be exploited by an unauthenticated attacker if the input mechanism is publicly accessible. This is primarily a remote exploitation scenario. The main prerequisite is the ability to inject malicious IP addresses or related strings into the application's input that utilizes the vulnerable package. The risk is heightened in applications that use this package for validating user-supplied URIs or IP addresses for server-side requests.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-28360?
Available Upgrade Options
- private-ip
- <2.0.0 → Upgrade to 2.0.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.npmjs.com/package/private-ip
- https://nvd.nist.gov/vuln/detail/CVE-2020-28360
- https://johnjhacking.com/blog/cve-2020-28360
- https://osv.dev/vulnerability/GHSA-43ch-2h55-2vj7
- https://github.com/frenchbread/private-ip
- https://www.npmjs.com/package/private-ip
- https://github.com/frenchbread/private-ip
- https://github.com/frenchbread/private-ip/commit/840664c4b9ba7888c41cfee9666e9a593db133e9
What are Similar Vulnerabilities to CVE-2020-28360?
Similar Vulnerabilities: CVE-2021-29447 , CVE-2021-3636 , CVE-2021-23338 , CVE-2022-24348 , CVE-2022-21703
