fix: address SSRF bypass patterns in isPrivate/isPublic (CVE-2024-29415)#166
Open
abhu85 wants to merge 2 commits intoindutny:mainfrom
Open
fix: address SSRF bypass patterns in isPrivate/isPublic (CVE-2024-29415)#166abhu85 wants to merge 2 commits intoindutny:mainfrom
abhu85 wants to merge 2 commits intoindutny:mainfrom
Conversation
This commit fixes multiple SSRF bypass patterns that allow attackers to bypass isPublic()/isPrivate() checks: 1. Null route "0" - now correctly identified as private (0.0.0.0) 2. 32-bit octal format "017700000001" - now correctly identified as loopback 3. IPv6 loopback variations (::1, 0:0:0:0:0:0:0:1) - improved detection 4. IPv6-mapped IPv4 loopback in hex (::ffff:7f00:1) - now detected 5. Short-form IPs (127.1, 127.0.1) - already handled, added tests Changes: - isLoopback() now normalizes IPv4 addresses before checking - isPrivate() now checks for 0.0.0.0/8 range (null route) - Added helper to extract IPv4 from IPv6-mapped addresses - Comprehensive test coverage for all bypass patterns Fixes: CVE-2024-29415 Refs: indutny#150, indutny#158, indutny#160, indutny#162
Add test cases for all known SSRF bypass patterns: - Null route "0" (Issue indutny#160) - 32-bit octal format "017700000001" (Issue indutny#162, CVE-2025-59436) - Short-form IPs (127.1, 127.0.1) - IPv6 loopback variations - IPv6-mapped IPv4 addresses in hex notation - Standard private range verification These tests document the security-critical behavior and ensure bypass patterns are correctly identified as private/loopback.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR fixes multiple SSRF bypass vulnerabilities in
isPublic()andisPrivate()that allow attackers to access internal resources by using non-standard IP address formats.CVE: CVE-2024-29415, CVE-2025-59436
Severity: High (CVSS 8.1)
Impact: ~40 million weekly downloads
Bypass Patterns Fixed
00.0.0.0017700000001127.0.0.1127.1,127.0.1127.0.0.10177.0.0.1127.0.0.10x7f.0.0.1127.0.0.10:0:0:0:0:0:0:1::1::ffff:7f00:1127.0.0.1Attack Scenario
Changes
lib/ip.jsisLoopback(): Now normalizes IPv4 addresses usingnormalizeToLong()before checking, correctly handling all numeric formatsisPrivate(): Added check for0.0.0.0/8range (null route/reserved)_extractIPv4FromMapped(): New helper to extract IPv4 from IPv6-mapped addresses (both dot and hex notation)_isIPv6Loopback(): New helper for expanded IPv6 loopback detectiontest/api-test.jsBackward Compatibility
This fix is backward compatible:
Testing
npm testAll existing tests pass, plus 40+ new security-focused tests.
Related Issues
"0") #160 (Null route bypass)Why Not PR #144?
PR #144 takes a more aggressive approach requiring Node.js 15+ and rejecting non-standard formats entirely. This PR:
References