CVE-2024-29415 - IP Package Vulnerability in Node.js that Might Allow SSRF Exploitation Due to Incomplete Fix for CVE-2023-42282

A newly discovered vulnerability in the ip package for Node.js, tracked as CVE-2024-29415, might allow Server-Side Request Forgery (SSRF) attacks because some IP addresses are not classified correctly as globally routable via isPublic. This vulnerability exists due to an incomplete fix for the earlier Node.js vulnerability CVE-2023-42282.

Technical Details

The ip package for Node.js might permit SSRF attacks since specific IP addresses are improperly classified as globally routable. Attackers may exploit this vulnerability by targeting ip addresses like 127.1, 01200034567, 012.1.2.3, 000::000::01, and ::fFFf:127...1.

Here's a code snippet, demonstrating the incorrect classification of IP addresses

const ip = require('ip');

console.log(ip.isPublic('127.1'));
console.log(ip.isPublic('01200034567'));
console.log(ip.isPublic('012.1.2.3'));
console.log(ip.isPublic('000::000::01'));
console.log(ip.isPublic('::fFFf:127...1'));

Output due to the vulnerability

true
true
true
true
true

As you can see, some IP addresses are classified as globally routable (true) when they should be marked as non-routable (false).

Original References

Please review the following links for further information on the discovery, impact, and remediation of this vulnerability:

1. CVE-2024-29415 Details: NVD - CVE-2024-29415
2. CVE-2023-42282 Details: NVD - CVE-2023-42282

Mitigation

To address this vulnerability, it is recommended that you update the ip package in your Node.js application to a patched version when it becomes available. Until then, be cautious with usage of isPublic() from the ip package and consider implementing additional checks to validate if an IP address is truly globally routable or not.

Conclusion

It is important to be aware of vulnerabilities like CVE-2024-29415 and update your Node.js application accordingly. Keeping your packages up to date can protect your application from potential SSRF attacks that exploit this vulnerability. Always monitor for new updates, and ensure you are working with the most recent and secure components.

Timeline

Published on: 05/27/2024 20:15:08 UTC
Last modified on: 08/16/2024 14:35:01 UTC