Server-Side Request Forgery (SSRF) in ip
CVE-2025-59437
- ip
- org.webjars.npm:ip
Summary
The ip (aka node-ip) package (in NPM) might allow Server-Side Request Forgery (SSRF) because the IP address value "0" is improperly categorized as globally routable via "isPublic". NOTE: This issue exists because of an incomplete fix for CVE-2024-29415. NOTE: In current versions of several applications, connection attempts to the IP address "0 (interpreted as `0.0.0.0`)" are blocked with error messages such as "net::ERR_ADDRESS_INVALID". However, in some situations that depend on both application version and operating system, connection attempts to "0" and "0.0.0.0" are considered connection attempts to "127.0.0.1" (and, for this reason, a false value of "isPublic" would be preferable). This issue affects ip package versions 0.0.2 through 2.0.1.
- HIGH
- LOCAL
- LOW
- CHANGED
- NONE
- NONE
- NONE
- NONE
CWE-918 - Server-Side Request Forgery (SSRF)
Server-side request forgery (SSRF) is a weakness that allows an attacker to send an arbitrary request, making it appear that the request was sent by the server. This request may bypass a firewall that would normally prevent direct access to the URL. The impact of this vulnerability can vary from unauthorized access to files and sensitive information to remote code execution.
References
Advisory Timeline
- Published
