✍️ Description

Private-ip is an NPM module that is used to check if the input IP address is private or not, so as to prevent SSRF attacks. It has ~12k downloads every week on NPM

However, I found that by crafting a malicious IP, an attacker can easily bypass this check.

🕵️‍♂️ Proof of Concept

First test case - 127.0.0.1, the application returns true and is able to determine it’s a private IP:

var privateIp = require("private-ip")

console.log('Testing 127.0.0.1')
require('private-ip')('127.0.0.1');

Bypass - 127.0.0.01, by adding a ‘0’ to the the 4th octet for example can bypass this, and it would return false thus bypassing the filter/regex (if you ping 127.0.0.01, it resolves to 127.0.0.1 i.e. localhost)

var privateIp = require("private-ip")

console.log('Testing 127.0.0.01')
require('private-ip')('127.0.0.01'); // returns false

💥 Impact

It can be used to bypass SSRF filters wherever this NPM module is used to prevent SSRF.