Dependabot: ip SSRF improper categorization in isPublic

Package: ip (npm)
Affected versions: <= 2.0.1
Patched version: None

Locations:
* [application-code/nodejs-demoapp/src/package-lock.json](https://github.com/aws-ia/ecs-blueprints/blob/-/application-code/nodejs-demoapp/src/package-lock.json)
* [application-code/ecsdemo-nodejs/package-lock.json](https://github.com/aws-ia/ecs-blueprints/blob/-/application-code/ecsdemo-nodejs/package-lock.json)

Dependabot couldn't auto-generate a ticket for this, so manually creating.

> The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for [CVE-2023-42282](https://github.com/advisories/GHSA-78xj-cgh5-2h22).

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Dependabot: ip SSRF improper categorization in isPublic #255

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Dependabot: ip SSRF improper categorization in isPublic #255

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions