NPM ip package is vulnerable to Server-Side Request Forgery (SSRF) attacks, see GitHub advisory for more information.
Effected packages:
-
@react-native-community/cli-doctor@12.3.2 includes ip in the package.json file but doesn't appear to be used in the code itself.
-
@react-native-community/cli-hermes@12.3.2:
It looks like the ip.isPublic isn't explictly used within the @react-native-community/cli-hermes@12.3.2 pkg:
|
const IP_ADDRESS = ip.address(); |
However, ip.address does call ip.isPublic under the hood:
//...
return name === 'public' ? ip.isPrivate(details.address)
: ip.isPublic(details.address);
});
Could potentially introduce a function to check that the IP address isn't private or reserved using the ipaddr.js lib
// Function to check if the IP address is safe to use (not private or reserved)
function isSafeIPAddress(ipAddress) {
try {
const addr = ipaddr.parse(ipAddress);
// Check if the IP address is in a private or reserved range
const range = addr.range();
return range !== 'private' && range !== 'loopback' && range !== 'linkLocal' && range !== 'uniqueLocal';
} catch (e) {
console.error("Error parsing IP address:", e);
return false; // Consider the IP address unsafe if it cannot be parsed
}
}
NPM
ippackage is vulnerable to Server-Side Request Forgery (SSRF) attacks, see GitHub advisory for more information.Effected packages:
@react-native-community/cli-doctor@12.3.2includes ip in the package.json file but doesn't appear to be used in the code itself.@react-native-community/cli-hermes@12.3.2:It looks like the
ip.isPublicisn't explictly used within the@react-native-community/cli-hermes@12.3.2pkg:cli/packages/cli-hermes/src/profileHermes/sourcemapUtils.ts
Line 37 in 2602f83
However,
ip.addressdoes callip.isPublicunder the hood:Could potentially introduce a function to check that the IP address isn't private or reserved using the
ipaddr.jslib