-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| ip | npm | <= 2.0.1 |
Miggo AIRoot Cause AnalysisThe vulnerability (CVE-2024-29415) states that the ip package improperly categorizes certain IP addresses as globally routable via the isPublic function. This miscategorization can lead to Server-Side Request Forgery (SSRF).
The analysis of the provided commit information (specifically from pull request #144, which includes commit 94f82bd4f2bace0c228bbbfe70073a71536fcbdf) reveals that the core issue lay in how the ip.isPrivate and ip.isLoopback functions parsed and normalized various non-standard IP address formats (e.g., '127.1', '01200034567', '012.1.2.3', '::ffff:127.0.0.1').
ip.isPublic is directly implicated as it relies on !ip.isPrivate(). If isPrivate is wrong, isPublic is wrong.ip.isPrivate contained complex logic, including calls to ip.normalizeToLong and, in earlier versions or implicitly, relied on ip.isLoopback. The patches show this internal logic being replaced by a call to a new ip.normalize() (later ip.normalizeStrict()) function that uses the Node.js net module for more reliable IP parsing.ip.isLoopback also had its own parsing for octal, hexadecimal, and long integer IP formats, which was flawed and replaced by the new normalization approach.The vulnerable functions are those that performed the incorrect categorization due to flawed input processing. The patches fundamentally changed this processing by removing custom, error-prone parsing logic from these functions and delegating normalization to a more robust mechanism. The examples provided in the CVE (like '127.1', '01200034567') highlight inputs that the old parsing logic in isPrivate and isLoopback would misinterpret, leading isPublic to an incorrect conclusion.