CVE-2023-42282 NPM package "ip" vulnerability

[bert-bae]

Node Alpine 18.19-alpine3.19 and below have the "ip" package vulnerability.
NIST issue link

The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.

Although the images are using [email protected], it looks like the proper fix is applied in [email protected]. Since it is a dependency of npm, it appears updating the npm version to the latest will resolve the issue.

Impacted versions: <=0.4.23
Discovered: Feb 8, 2024
Updated: Mar 6, 2024

Related issues:

• npm
• docker-node

[msaktor]

npm version 10.5.0
is using socks 2.8.0
npm/cli#7184 (files)

which replaced the problematic ip package
JoshGlazebrook/socks@66b7f73#diff-7ae45ad102eab3b6d7e7896acd08c427a9b25b346470d7bc6507b6481575d519L48

it's avaiable in node versions:

>= 21.7.0
>= 20.12.0
>= 18.20.0

[thuey]

Looks like this has been updated in the latest image: nodejs/docker-node@e8dc035

[Lumi669]

I am using node:20.11.0-alpine, got the same as bellow:

The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.

ps, i use pnpm and after install the ip 2.0.1 , still got this issue