← back
CVE-2023-42282

CVE-2023-42282

CVSS 9.8 CRITICALEPSS 1.6%CWE-918
Vexday Risk Score
28Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 9.8EPSS 1.6%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
08 Feb 2024Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.htmlhttps://github.com/indutny/node-ip/commit/6a3ada9b471b09d5f0f5be264911ab564bf67894https://huntr.com/bounties/bfc3b23f-ddc0-4ee7-afab-223b07115ed3/https://security.netapp.com/advisory/ntap-20240315-0008/https://www.bleepingcomputer.com/news/security/dev-rejects-cve-severity-makes-his-github-repo-read-only/