Hi Xavier, On Sun, Oct 26, 2025 at 11:03:37AM +0100, Yadd wrote: > Le 26/10/2025 à 09:09, Salvatore Bonaccorso a écrit : > > Source: node-ip > > Version: 2.0.1+~1.1.3-3 > > Severity: important > > Tags: security upstream > > Forwarded: https://github.com/indutny/node-ip/issues/162 > > X-Debbugs-Cc: [email protected], Debian Security Team > > <[email protected]> > > > > Hi, > > > > The following vulnerability was published for node-ip. > > > > CVE-2025-59436[0]: > > | The ip (aka node-ip) package through 2.0.1 (in NPM) might allow SSRF > > | because the IP address value 017700000001 is improperly categorized > > | as globally routable via isPublic. NOTE: this issue exists because > > | of an incomplete fix for CVE-2024-29415. > > > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2025-59436 > > https://www.cve.org/CVERecord?id=CVE-2025-59436 > > [1] https://github.com/indutny/node-ip/issues/162 > > > > Regards, > > Salvatore > > Hi, > > node-ip is no more maintained. I already remove it from dependencies of > node-proxy-agents and node-socks. Next steps: > - update npm to drop it > - ROM-RM node-ip
Sounds good as action plan, in particular dropping it for unstable/forky. Regards, Salvatore
