CVE-2024-29415
Published: 27 May 2024
Summary
CVE-2024-29415 is a high-severity SSRF (CWE-918) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The ip package through version 2.0.1 for Node.js is affected by an SSRF vulnerability tracked as CVE-2024-29415. Certain non-standard IP address representations, including 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1, are incorrectly treated as globally routable by the isPublic function, allowing them to bypass intended restrictions. The flaw stems from an incomplete remediation of the earlier CVE-2023-42282 issue and carries a CVSS 3.1 score of 8.1 with CWE-918 and CWE-941 classifications.
An unauthenticated remote attacker can supply these crafted addresses to applications that rely on the package for IP classification, potentially enabling requests to internal or loopback resources that should have been blocked. Successful exploitation can result in unauthorized access to sensitive internal services or data exfiltration depending on how the calling application uses the isPublic result.
The referenced GitHub issues and pull requests in the node-ip repository document ongoing discussion of the categorization logic and prior attempts to address similar bypasses, though no separate vendor advisory or patch release is described in the available details. The EPSS score has reached a peak of 0.8805 with a current value of 0.8434, indicating sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-1886
Vulnerability details
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for…
more
CVE-2023-42282.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.
Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.
Validates server-side URLs and resource references to block SSRF attempts.
Detects server-side request forgery through monitoring of unexpected outbound connections.