Source: node-ip Version: 2.0.1+~1.1.3-3 Severity: important Tags: security upstream Forwarded: https://github.com/indutny/node-ip/issues/162 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for node-ip. CVE-2025-59436[0]: | The ip (aka node-ip) package through 2.0.1 (in NPM) might allow SSRF | because the IP address value 017700000001 is improperly categorized | as globally routable via isPublic. NOTE: this issue exists because | of an incomplete fix for CVE-2024-29415. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-59436 https://www.cve.org/CVERecord?id=CVE-2025-59436 [1] https://github.com/indutny/node-ip/issues/162 Regards, Salvatore
