Vulnerability: express-ipfilter use Depends on vulnerable versions of ip package

Question

Vulnerability: express-ipfilter use Depends on vulnerable versions of ip package

Closed this issue 5 months ago · 10 comments

ip *
Severity: high
NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks - GHSA-78xj-cgh5-2h22
No fix available
node_modules/ip
express-ipfilter *
Depends on vulnerable versions of ip
node_modules/express-ipfilter

Answer 1 · 2024-02-14T13:27:37.000Z

Not relevant, we do not use isPublic, see https://github.com/search?q=repo%3Ajetersen%2Fexpress-ipfilter%20isPublic&type=code

Answer 2 · 2024-02-15T17:00:34.000Z

Thanks for reply, I am about this package https://github.com/jetersen/express-ipfilter/blob/master/package.json#L78

Answer 3 · 2024-02-15T17:02:12.000Z

But seems there is no fix from https://github.com/indutny/node-ip

Answer 4 · 2024-02-15T17:03:44.000Z

But the vulnerability is only in there if you actively use isPublic
Please read the CVE.

Answer 5 · 2024-02-15T17:37:10.000Z

Oh, sure, I understood, thanks for the reply.

Answer 6 · 2024-02-19T21:26:13.000Z

This logic doesn't compute for me.
what is the downside to upgrade and get rid of false positive report ?

Answer 7 · 2024-02-20T06:37:25.000Z

Feel free to submit a PR. There are plenty of false positive.

Answer 8 · 2024-02-20T17:09:30.000Z

Fixed in https://github.com/jetersen/express-ipfilter/releases/tag/v1.3.2

Answer 9 · 2024-02-21T13:57:26.000Z

Thanks will do next time. I misunderstood your comment

Answer 10 · 2024-02-21T14:28:09.000Z

@odubuc well you can read this: indutny/node-ip#136 (comment) it details the issue I have with this CVE