CVE-2023-42282
SSRF vulnerability in ip (npm)
What is CVE-2023-42282 About?
The `isPublic()` function in the NPM package `ip` (all versions before 1.1.9 and 2.0.1) incorrectly identifies certain private IP addresses as public. This can lead to Server-Side Request Forgery (SSRF) if applications rely on this function to protect sensitive code paths from user-supplied input. Exploitation is via unusual IP address formats. It is a moderately easy vulnerability to exploit given the conditions.
Affected Software
- ip
- >2.0.0, <2.0.1
- <1.1.9
Technical Details
The isPublic() function within the NPM ip package, in versions prior to 1.1.9 and 2.0.1, fails to correctly classify certain non-standard representations of private IP addresses (e.g., 0x7F.1 as an alternative for 127.0.0.1) as private. Instead, it returns true, indicating they are public. This misidentification occurs when applications use isPublic() to filter or validate user-supplied IP addresses before making server-side requests. An attacker can craft such an unusual IP address format, which isPublic() incorrectly allows, to bypass the intended protection and induce the server-side application to make requests to internal or restricted resources, leading to SSRF.
What is the Impact of CVE-2023-42282?
Successful exploitation may allow attackers to perform Server-Side Request Forgery (SSRF), enabling them to access internal network resources, bypass firewalls, conduct port scanning, or interact with other services not intended for external communication.
What is the Exploitability of CVE-2023-42282?
Exploitation of this vulnerability is moderately easy. It requires the application to use the isPublic() function from the vulnerable ip package to validate user-supplied IP addresses for network requests. An attacker can remotely submit a specially crafted IP address string. There are no specific authentication or privilege requirements from the attacker's perspective, beyond the ability to submit input to the vulnerable application. The vulnerability is typically found in web applications that accept network-related input and perform server-side actions based on it. The primary risk factor is any perimeter-facing application that uses this package for IP validation before making internal calls or requests.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-42282?
About the Fix from Resolved Security
The patch ensures that IPv4 addresses in unusual notations (such as octal and hexadecimal) are properly normalized and validated before being checked for private or loopback ranges, addressing the parsing ambiguity that led to security bypasses. By introducing thorough normalization and validation routines, it prevents attackers from disguising public IPs as private or loopback addresses using alternative notations, which is the root cause of CVE-2023-42282.
Available Upgrade Options
- ip
- <1.1.9 → Upgrade to 1.1.9
- ip
- >2.0.0, <2.0.1 → Upgrade to 2.0.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html
- https://www.bleepingcomputer.com/news/security/dev-rejects-cve-severity-makes-his-github-repo-read-only/
- https://github.com/indutny/node-ip/commit/6a3ada9b471b09d5f0f5be264911ab564bf67894
- https://github.com/indutny/node-ip/commit/6a3ada9b471b09d5f0f5be264911ab564bf67894
- https://osv.dev/vulnerability/GHSA-78xj-cgh5-2h22
- https://github.com/indutny/node-ip/pull/138
- https://security.netapp.com/advisory/ntap-20240315-0008/
- https://github.com/JoshGlazebrook/socks/issues/93#issue-2128357447
- https://github.com/github/advisory-database/pull/3504#issuecomment-1937179999
- https://github.com/indutny/node-ip/commit/32f468f1245574785ec080705737a579be1223aa
What are Similar Vulnerabilities to CVE-2023-42282?
Similar Vulnerabilities: CVE-2023-39325 , CVE-2023-44270 , CVE-2022-48590 , CVE-2023-38407 , CVE-2023-32002
