private-ip Server-Side Request Forgery Vulnerability

A Server-Side Request Forgery (SSRF) vulnerability exists in all versions of the private-ip package. This vulnerability allows an attacker to provide an IP or hostname that resolves to a multicast IP address (224.0.0.0/4), which is not recognized as private by the package. The issue arises because the package's source code does not include multicast addresses in its private IP range allowlist.

Impact

Exploitation of this vulnerability could lead to unauthorized access to internal services or resources by allowing an attacker to manipulate server-side requests.

Reproduction

To reproduce this vulnerability, install the private-ip package and create a JavaScript file that imports the package. Use the package's API to check the privacy of various IP addresses, including a multicast address. When the file is executed, the private-ip package will incorrectly identify the multicast IP as private, demonstrating the SSRF bypass.