fix: address SSRF bypass patterns in isPrivate/isPublic (CVE-2024-29415)

[abhu85]

Summary

This PR fixes multiple SSRF bypass vulnerabilities in isPublic() and isPrivate() that allow attackers to access internal resources by using non-standard IP address formats.

CVE: CVE-2024-29415, CVE-2025-59436
Severity: High (CVSS 8.1)
Impact: ~40 million weekly downloads

Bypass Patterns Fixed

Pattern	Example	Resolves To	Issue
Null route	0	0.0.0.0	#160
32-bit octal	017700000001	127.0.0.1	#162
Short-form	127.1, 127.0.1	127.0.0.1	#150
Octal notation	0177.0.0.1	127.0.0.1	#150
Hex notation	0x7f.0.0.1	127.0.0.1	#150
IPv6 expanded	0:0:0:0:0:0:0:1	::1	#150
IPv6-mapped hex	::ffff:7f00:1	127.0.0.1	#122

Attack Scenario

// Typical vulnerable application
function makeRequest(userUrl) {
    const hostname = new URL(userUrl).hostname;
    
    if (ip.isPublic(hostname)) {
        return fetch(userUrl); // BYPASSED!
    }
    throw new Error("Private IP blocked");
}

// These attacks succeed without this fix:
makeRequest("http://0:3000/admin");           // Null route
makeRequest("http://017700000001:3000/admin"); // 32-bit octal
makeRequest("http://127.1:3000/admin");        // Short-form

Changes

lib/ip.js

• isLoopback(): Now normalizes IPv4 addresses using normalizeToLong() before checking, correctly handling all numeric formats
• isPrivate(): Added check for 0.0.0.0/8 range (null route/reserved)
• _extractIPv4FromMapped(): New helper to extract IPv4 from IPv6-mapped addresses (both dot and hex notation)
• _isIPv6Loopback(): New helper for expanded IPv6 loopback detection

test/api-test.js

• Added comprehensive test suite for all SSRF bypass patterns
• Tests document security-critical behavior
• Covers edge cases and regression scenarios

Backward Compatibility

This fix is backward compatible:

• No breaking API changes
• No new dependencies
• Works with existing Node.js versions supported by this package
• Only changes classification of addresses that were incorrectly identified

Testing

npm test

All existing tests pass, plus 40+ new security-focused tests.

Related Issues

• Fixes Security Advisory: NPM ip package still incorrectly identifies some private IP addresses as public #150 (Security Advisory)
• Fixes CVE-2024-29415 #158 (CVE-2024-29415)
• Fixes Additional SSRF Bypass: Null Route Format ("0") #160 (Null route bypass)
• Fixes Additional SSRF Bypass: Octal Format ("017700000001") #162 (32-bit octal bypass, CVE-2025-59436)
• Related to Private IPv4 mapped regions are only matched in dot-notation #122 (IPv6-mapped notation)
• Alternative to lib: use Node.js net lib and reject malformed addresses #144 (which requires breaking changes)

Why Not PR #144?

PR #144 takes a more aggressive approach requiring Node.js 15+ and rejecting non-standard formats entirely. This PR:

• Maintains backward compatibility
• Works with older Node.js versions
• Correctly classifies non-standard formats instead of rejecting them
• Can be released as a patch version (2.0.2)

References

• CVE-2024-29415
• CVE-2025-59436
• GHSA-2p57-rm9w-gvfp
• OWASP SSRF Prevention Cheat Sheet

[sokol8]

is this packaged maintained at all?
I don't see a fix for this in the last 2 years

[abhu85]

Maintenance has been sporadic - the last merge was Feb 2024 for CVE-2023-42282. The current CVE has been open since then with multiple fix PRs waiting.

If this doesn't get merged, you have options:

• Fork and patch - the fix is backward compatible
• Use an alternative - ipaddr.js handles normalization correctly
• Override in package.json - use npm:@user/patched-ip resolution