ip-utils Package Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in the ip-utils package for Node.js, affecting versions through 2.4.0. The issue arises because the 'isPrivate' function improperly categorizes certain IP addresses, such as '0x7f.1' (which represents '127.0.0.1' in hexadecimal), as globally routable. This misclassification can lead to security risks by allowing private IP addresses to be treated as public, potentially bypassing security controls that rely on accurate IP address validation.

Impact

Exploitation of this vulnerability can lead to server-side request forgery (SSRF), allowing attackers to manipulate server requests and potentially access internal resources or services.

Reproduction

The vulnerability can be reproduced by calling the 'isPrivate' function with non-standard representations of private IP addresses. For example, '0x7f.1' and '0177.0.0.1' (the latter in octal notation) are incorrectly evaluated as not private, when they should be.