CVE-2023-42282 NPM package "ip" vulnerability

[bert-bae]

Node Alpine 18.19-alpine3.19 and below have the "ip" package vulnerability. NIST issue link

The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.

Although the images are using [email protected], it looks like the proper fix is applied in [email protected]. Since it is a dependency of npm, it appears updating the npm version to the latest will resolve the issue.

Impacted versions: <=0.4.23 Discovered: Feb 8, 2024 Updated: Mar 6, 2024

Related issues:

• npm
• docker-node