HIGH · CVSS 7.5
CVE-2024-29415 — ip SSRF allowlist bypass
The `ip` npm package — often used to determine whether an IP is 'private' for SSRF defense — could be bypassed by octal / hexadecimal / zero-padded encodings, rendering SSRF allowlists incomplete.
Affects
- ip < 2.0.1
- ip < 1.1.9
What an attacker does
The attacker supplies an octal or hex representation of a private IP (e.g., `0177.0.0.1` for 127.0.0.1). Before the patch, `ip.isPrivate()` returned `false` on these, letting SSRF filters pass the request through to loopback / metadata endpoints.
How to detect
`npm ls ip`. Also: audit every `ip.isPrivate()` call in your codebase.
How to fix
Upgrade ip to 2.0.1+ / 1.1.9+. Additionally, prefer `@fastify/ssrf-agent` or a DNS-resolution-time check over a URL-string check.
How Securie catches it
Securie's SSRF specialist checks every call-site of ip.isPrivate().