Vulnerability: express-ipfilter use Depends on vulnerable versions of ip package
Closed this issue · 10 comments
ip *
Severity: high
NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks - GHSA-78xj-cgh5-2h22
No fix available
node_modules/ip
express-ipfilter *
Depends on vulnerable versions of ip
node_modules/express-ipfilter
Not relevant, we do not use isPublic
, see https://github.com/search?q=repo%3Ajetersen%2Fexpress-ipfilter%20isPublic&type=code
Thanks for reply, I am about this package https://github.com/jetersen/express-ipfilter/blob/master/package.json#L78
But seems there is no fix from https://github.com/indutny/node-ip
But the vulnerability is only in there if you actively use isPublic
Please read the CVE.
Oh, sure, I understood, thanks for the reply.
This logic doesn't compute for me.
what is the downside to upgrade and get rid of false positive report ?
Feel free to submit a PR. There are plenty of false positive.
Thanks will do next time. I misunderstood your comment
@odubuc well you can read this: indutny/node-ip#136 (comment) it details the issue I have with this CVE