Cyber Resilience

CVE-2024-29415

High

Published: 27 May 2024

Published
27 May 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8434 99.3th percentile
Risk Priority 67 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-29415 is a high-severity SSRF (CWE-918) vulnerability. Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The ip package through version 2.0.1 for Node.js is affected by an SSRF vulnerability tracked as CVE-2024-29415. Certain non-standard IP address representations, including 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1, are incorrectly treated as globally routable by the isPublic function, allowing them to bypass intended restrictions. The flaw stems from an incomplete remediation of the earlier CVE-2023-42282 issue and carries a CVSS 3.1 score of 8.1 with CWE-918 and CWE-941 classifications.

An unauthenticated remote attacker can supply these crafted addresses to applications that rely on the package for IP classification, potentially enabling requests to internal or loopback resources that should have been blocked. Successful exploitation can result in unauthorized access to sensitive internal services or data exfiltration depending on how the calling application uses the isPublic result.

The referenced GitHub issues and pull requests in the node-ip repository document ongoing discussion of the categorization logic and prior attempts to address similar bypasses, though no separate vendor advisory or patch release is described in the available details. The EPSS score has reached a peak of 0.8805 with a current value of 0.8434, indicating sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for…

more

CVE-2023-42282.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-918

Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.

addresses: CWE-918

Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.

addresses: CWE-918

Validates server-side URLs and resource references to block SSRF attempts.

addresses: CWE-918

Detects server-side request forgery through monitoring of unexpected outbound connections.

References