Incorrect Behavior Order: Validate Before Canonicalize

CVE-2024-28607

Low

2.9/10

Summary

The ip-utils package through 2.4.0 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via a falsy isPrivate return value.

Attack Complexity: HIGH
Attack Vector: LOCAL
Integrity Impact: LOW
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: NONE

CWE-180 - Incorrect Behavior Order: Validate Before Canonicalize

The software validates input before it is canonicalized, which prevents the software from detecting data that becomes invalid after the canonicalization step.

References

Advisory Timeline

Published Mar 11, 2025

Incorrect Behavior Order: Validate Before Canonicalize

CVE-2024-28607

Summary

CWE-180 - Incorrect Behavior Order: Validate Before Canonicalize

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS