CVE-2020-28360 – private-ip npm package – Incorrect Regular Expression – Insufficient RegEx in private-ip npm package v1.0.5 and below insufficiently filters reserved IP ranges resulting in indeterminate SSRF.

CVE ID

CVE-2020-28360

CVSS Score

9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Internal ID

SICK-2020-022

Vendor

private-ip Project

Product

private-ip

Product Versions:

1.0.5 and below

Vulnerability Details

Insufficient RegEx in private-ip npm package v1.0.5 and below insufficiently filters reserved IP ranges resulting in indeterminate SSRF. An attacker can perform a large range of requests to ARIN reserved IP ranges, resulting in an indeterminable number of critical attack vectors for server-side projects using private-ip 1.0.5 and below.

The private-ip npm package is a popular server-side package which fails to filter ARIN reserved IP ranges, allowing remote attackers to request server-side resources or potentially execute arbitrary code through various SSRF techniques.

The package is a security package used to attempt to prevent remote requests from reaching internal resources. Implemented RegEx in the v1.0.5 and below insufficiently account for a wide range of variations of localhost, private IP ranges, and IP ranges that are otherwise reserved by ARIN.

Vendor Response

Patched in version 2.0.0

Credits

@johnjhacking – https://twitter.com/johnjhacking/ Application Security Engineer @Shutterstock: Initial discovery.

Harold Hunt – https://www.linkedin.com/in/huntharo/ Site Reliability Engineering @Shutterstock: Initial discovery.

@sickcodes – https://twitter.com/sickcodes/ Independent Security Researcher: Further analysis, co-authored patch & proofs of concept.

@tensor_bodega – https://twitter.com/tensor_bodega Machine Learning Engineer @Squarespace: Further analysis, co-authored patch & proofs of concept.

Disclosure Timeline

• 2020-11-06 – Researchers at Shutterstock identify vulnerability (John Jackson & Harold Hunt).
• 2020-11-06 – CVE Requested.
• 2020-11-08 – CVE Assigned CVE-2020-28360.
• 2020-11-08 – Researchers notify npm.
• 2020-11-11 – Maintainer notified.
• 2020-11-11 – Maintainer responds.
• 2020-11-18 – Researcher requests update from maintainer.
• 2020-11-18 – Maintainer asks for clarification.
• 2020-11-18 – Researchers provide examples of usage in the wild.
• 2020-11-19 – Maintainer provides attempted patch.
• 2020-11-19 – Researchers invalidate patch.
• 2020-11-19 – Additional researchers engaged to validate the vulnerability, and create PoC (Sick Codes & Nick Sahler)
• 2020-11-19 – Additional researchers validate further, write PoC, replace regex with more comprehensive netmask package, and submit PR.
• 2020-11-20 – Maintainer notified that PR is in.
• 2020-11-24 – Maintainer merges PR.
• 2020-11-24 – Researchers publishes CVE-2020-28360

References

https://www.npmjs.com/package/private-ip

https://johnjhacking.com/blog/cve-2020-28360

https://github.com/sickcodes/security/blob/master/advisories/SICK-2020-022.md

https://sick.codes/sick-2020-022

https://twitter.com/johnjhacking

https://www.linkedin.com/in/huntharo

https://twitter.com/sickcodes

https://twitter.com/tensor_bodega

CVE Links

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28360

https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-28360

Mitigation

Update private-ip to version 2.0.0.