CVE-2024-29415: Popular Node.js Package ‘node-ip’ Exposes Millions to Potential SSRF Attacks
A significant security vulnerability has been uncovered in the widely-used node-ip npm package, which is designed to retrieve a computer’s IPv4 addresses via a simple command-line tool. This package, which boasts over 19 million downloads each week, has been identified to contain a serious Server-Side Request Forgery (SSRF) vulnerability, marked as CVE-2024-29415.
The vulnerability stems from the way the node-ip package categorizes certain IP addresses. The isPublic() function, which is intended to distinguish between public and private IP addresses, is flawed. It mistakenly classifies some private IP addresses as public, making them susceptible to SSRF attacks. This flaw exists in versions up to 2.0.1 of the package.
Among the problematic IP addresses improperly categorized are:
- 127.1
- 01200034567
- 012.1.2.3
- 000:0:0000::01
- ::fFFf:127.0.0.1
These misclassifications occur because the isPublic() function fails to correctly interpret these addresses, potentially allowing malicious actors to exploit the package for unauthorized access to internal systems.
The CVE-2024-29415 vulnerability is notably linked to an incomplete fix for a previous issue, CVE-2023-42282. The root cause lies in the API design itself, which does not return normalized parsing results. Users relying on the original, potentially malformed input could encounter parser discrepancies, leading to security gaps.
As of now, no official patch has been applied to the original node-ip package. However, a proposed patch is available at issue #144 on the package’s GitHub repository. Despite this, the package’s maintenance has been lackluster, with the author unresponsive to the recent issues.
Given the gravity of the situation and the lack of active maintenance, users of the node-ip package are strongly advised to migrate to alternative packages that offer similar functionalities but with better support and active development. Even if current usage of the package does not appear to be directly affected by this vulnerability, transitioning to a more secure and actively maintained solution is prudent.
For those who must continue using the node-ip package, it is crucial to thoroughly review their codebase to ensure that the isPublic(), isPrivate(), and isLoopback() functions are not used to guard sensitive network requests. This includes verifying whether IP addresses provided in user inputs are correctly identified as private or public before sending out requests.
Moreover, following best practices outlined in the Server-Side Request Forgery Prevention – OWASP Cheat Sheet can provide additional safeguards, as even a correctly functioning isPublic() method may not be sufficient to prevent SSRF attacks on its own.