The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.
[
{
"cpes": [
"cpe:2.3:a:fedorindutny:ip:*:*:*:*:*:node.js:*:*"
],
"vendor": "fedorindutny",
"product": "ip",
"versions": [
{
"status": "affected",
"version": "0",
"lessThan": "2.0.1",
"versionType": "custom"
}
],
"defaultStatus": "unknown"
}
]