Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🚨 HIGH Severity Vulnerability: Package unsafe for use as of v1.1.8 🚨 #136

Open
taylorjdawson opened this issue Feb 9, 2024 · 25 comments · Fixed by Unleash/unleash#6265 or Unleash/unleash#6266

Comments

@taylorjdawson
Copy link

Until PR is merge to mitigate this attack vector, package should be deemed unsafe for use.

NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks, see GitHub advisory for more information.

@carnil
Copy link

carnil commented Feb 9, 2024

CVE-2023-42282 is associated with this issue, mentioning it for cross-reference as well.

@glitch-txs
Copy link

@indutny any update on this?

@levpachmanov
Copy link

Hi @taylorjdawson @carnil @glitch-txs,

Notice that ip@2.0.0 is affected by CVE-2023-42282 - github/advisory-database#3504

We're part of a startup called Seal Security that mitigates software vulnerabilities in older open source versions by backporting/creating standalone security patches - enabling more straightforward remediation in cases like this. We created an ip 1.1.8-sp and 2.0.0-sp1 that's vulnerability-free. As with all of our patches, it's open-source and available for free.

If relevant, check out our GitHub repo if you wish to learn more, or start using our app.

Please feel free to reach us at info@seal.security if you have any requests/questions.

@mukitmomin
Copy link

Looks like there is an open PR: #138 that fixes this issue. Any timeline on when it will be merged and released?

@damonholden
Copy link

Any update on this?

@aminekun90
Copy link

Any update on this?

There is an open PR for this ... --'

@levpachmanov
Copy link

@mukitmomin @damonholden @aminekun90 notice @mnikolaus 's comment on #138 that the current PR covers only a limited number of cases and as @n0099 mentioned there are many other options

@damonholden
Copy link

Are there any known workarounds then? We've had to move our project to critical vulnerability blockers only for this.

@aminekun90
Copy link

Are there any known workarounds then? We've had to move our project to critical vulnerability blockers only for this.

For our project we unfortunately got rid of the library using node-ip

@levpachmanov
Copy link

@damonholden - as others suggested you might try getting rid of node-ip. Alternatively we (Seal Security) released a patch that we believe covers all the cases. You can check out or our GitHub repo and our app - it's free to use for open source projects.

@dchambers
Copy link

We're part of a startup called Seal Security that mitigates software vulnerabilities in older open source versions by backporting/creating standalone security patches

@levpachmanov, may I ask, was it also your team that reported the issue to NIST in the first place?

@levpachmanov
Copy link

@dchambers no, the credit goes to @cosmosofcyberspace AFAIK. We have only suggested updating the affected version range of the advisory (even though @G-Rath did it first) and trying to help the community remediate the risk.

@dotboris
Copy link

dotboris commented Feb 13, 2024

I feel that this CVE is less critical than it's made to appear and that this issue (title + description) are a bit alarmist.

What's going on here is that the isPublic(...) function from this package has a bug. It fails to recognize some ips in hex format as private. This doesn't make it a security issue in its own right.

The advisory labels this a high and talks of remote code execution, information disclosure and server-side request forgery. None of that is true when you look at ip in isolation.

You're only vulnerable to anything remotely close to what the advisory talks about if:

  • You have a vulnerable version of ip in your deps
  • and you or your dependencies use the isPublic() function
  • and that function is used to guard something sensitive
  • and the input you pass to isPublic() is user input

Only then, you have a problem.

If you've somehow landed here because your favourite / work imposed security tool is raising an alarm about this, you're probably fine. I suggest that you check for yourself to see if your code is affect. It most likely isn't.

I personally did this by searching for isPublic( in my code and node_modules and found nothing to be alarmed about.

@Siliconvelly
Copy link

i am getting this NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks on npm install in my react-native project from today i am unable to understand why this issue is arise but it shows me to downgrade my react native version and i am downgrading the it says upgrading the version so i researched that the npm ip is getting issue from nodemodule file in my project so i find and found this page so please give any solution or suggestion and fix as soon as possible.

@kellyselden
Copy link

@levpachmanov I'm curious, do you also publish the patches as forks to npm? Then it would be easy to consume as a package resolution override.

@dotboris
Copy link

I have submitted a PR (github/advisory-database#3531) to GitHub's advisory database to change it to reflect the reality of the issue and reduce its severity.

@stalinTechXD
Copy link

any latest update on this https://security.snyk.io/vuln/SNYK-JS-IP-6240864 ?

@SamLam140330
Copy link

It seems there is a PR (#138)

@levpachmanov
Copy link

Hi @kellyselden @electrovir @mattd-tg @DSurguy-Sterling - since a public fix hasn’t been released yet, we published the versions we patched to NPM as well @seal-security/ip.
Notice using those versions to fix your nested dependencies requires NPM's override feature which is quite buggy (we even tried to fix it).

@marcomontalbano
Copy link

Hi all! We can close this issue. The PR #138 (comment) is now merged and the v2.0.1 has been released 🎉

gastonfournier added a commit to Unleash/unleash that referenced this issue Feb 19, 2024
## About the changes
Bump IP package that fixes indutny/node-ip#136
vulnerability
gastonfournier added a commit to Unleash/unleash that referenced this issue Feb 19, 2024
## About the changes
Bump IP package that fixes indutny/node-ip#136
vulnerability
@mukitmomin
Copy link

The CVE reported in the github advisory database is not written correctly. NPM does not accept version v1.1.9 as a patched version as the existing CVE lists affected versions are <=2.0.0. This PR fixes the advisory to accept v1.1.9 as a patched version as well. Any idea when/how CVE can be updated?

@ouuan
Copy link

ouuan commented Feb 21, 2024

This is not resolved in 1.1.9/2.0.1. See #143 for more details.

@abhishek-parative
Copy link

Can the maintainer/group with Write access take a look at #144?

@karthikTVS
Copy link

karthikTVS commented Apr 29, 2024

1.1.8-sp this patch version not found in registry https://registry.npmjs.org/ip/-/ip-1.1.8-sp.tgz

@n0099
Copy link

n0099 commented Jun 8, 2024

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet