If you’re using the ip package in your Node.js apps, you might be at risk due to CVE-2024-29415. This fresh vulnerability lets attackers sneak Server-Side Request Forgery (SSRF) payloads through, all because some funny-looking IP addresses slip past the security net. Let’s see what’s happening, how it works, and how you can avoid being bitten.
What’s CVE-2024-29415 About?
In simple words: ip (through version 2..1) tried to help developers figure out if an IP address was “public” or not. Doing that is important, especially when stopping SSRF attacks. However, the function called isPublic mistakenly tagged some special addresses—like 127.1, 01200034567, and fancy IPv6 ones like 000::000::01—as if they were regular internet IPs instead of local/private ones.
The root? An old bug (CVE-2023-42282) never got fully fixed. Attackers can use those “tricky” addresses to bypass SSRF filters and reach sensitive local network services.
What’s SSRF, and Why Should You Care?
Server-Side Request Forgery (SSRF) lets attackers trick your server into making requests—sometimes to internal services only the server can see. If the server trusts the IP or hostname without double-checking, bad things can happen:
- Exposure of sensitive data (like accessing http://127...1:808/admin)
Cloud metadata leaks
If your app uses ip.isPublic to allow or block certain URLs or IPs, you might accidentally open the door to local services.
Let’s say you check user-supplied URLs like this
const ip = require('ip');
const url = require('url');
const dns = require('dns').promises;
async function checkUrl(userUrl) {
const parsed = url.parse(userUrl);
const addresses = await dns.resolve(parsed.hostname);
if (addresses.some(addr => ip.isPublic(addr))) {
// safe to allow
return true;
}
return false;
}
It *looks* solid: if the hostname resolved to a private (local) address, isPublic would catch it, right? But with this bug, an attacker submits:
- http://127.1/somepath
- http://012.1.2.3/somepath
- http://000::000::01/somepath
- http://::ffff:127...1/somepath
- http://01200034567/somepath
These are all different ways of writing loopback/local addresses. However, the buggy isPublic says they’re public, and your application lets the request through.
Try this for yourself with ip@2..1
const ip = require('ip');
console.log(ip.isPublic('127...1')); // false (good)
console.log(ip.isPublic('127.1')); // true (wrong!)
console.log(ip.isPublic('012.1.2.3')); // true (wrong!)
console.log(ip.isPublic('000::000::01')); // true (wrong!)
console.log(ip.isPublic('::ffff:127...1')); // true (wrong!)
If you use these addresses, the app thinks they’re safe, but they actually reach internal services.
Where’s the Evidence?
- CVE Description
- GitHub Advisory for ip package
- Previous issue, CVE-2023-42282
- SSRF reference guide
How Bad Is It?
- Impact: Attackers can hit internal endpoints if your app uses faulty IP checks—potentially high-severity depending on your setup.
How Can I Fix or Detect This?
1. Update the ip package ASAP when a patch releases. Watch: npmjs.com/package/ip
2. Don’t rely just on IP checks. Validate and restrict what services your server-side code can reach.
3. Use strict allowlists of hostnames/IPs for internal requests (never let a user choose any URL).
4. Log & monitor suspicious requests. Any odd-looking IPs like 127.1 or leading zeros should be a red flag.
Final Thoughts
CVE-2024-29415 is a classic “tricky input” bug. It’s an easy mistake—even security-minded devs trust libraries to “do the right thing” on weird IP formats.
If you handle URLs or IPs from users anywhere in your Node.js code, check your dependencies and your code logic. Don’t let your server become a gateway into your internal network!
References
- CVE-2024-29415 MITRE Record
- ip npm package
- CVE-2023-42282 Background Advisory
- SSRF Deep Dive (PortSwigger)
---
*This explainer is exclusive and original. Stay tuned for patch updates and always scrutinize how your app talks to the outside world!*
Timeline
Published on: 05/27/2024 20:15:08 UTC
Last modified on: 08/16/2024 14:35:01 UTC