1.0.5 and below
Insufficient RegEx in private-ip npm package v1.0.5 and below insufficiently filters reserved IP ranges resulting in indeterminate SSRF. An attacker can perform a large range of requests to ARIN reserved IP ranges, resulting in an indeterminable number of critical attack vectors for server-side projects using private-ip 1.0.5 and below.
The private-ip npm package is a popular server-side package which fails to filter ARIN reserved IP ranges, allowing remote attackers to request server-side resources or potentially execute arbitrary code through various SSRF techniques.
The package is a security package used to attempt to prevent remote requests from reaching internal resources. Implemented RegEx in the v1.0.5 and below insufficiently account for a wide range of variations of localhost, private IP ranges, and IP ranges that are otherwise reserved by ARIN.
Patched in version 2.0.0
@johnjhacking – https://twitter.com/johnjhacking/ Application Security Engineer @Shutterstock: Initial discovery.
Harold Hunt – https://www.linkedin.com/in/huntharo/ Site Reliability Engineering @Shutterstock: Initial discovery.
@sickcodes – https://twitter.com/sickcodes/ Independent Security Researcher: Further analysis, co-authored patch & proofs of concept.
@tensor_bodega – https://twitter.com/tensor_bodega Machine Learning Engineer @Squarespace: Further analysis, co-authored patch & proofs of concept.
- 2020-11-06 – Researchers at Shutterstock identify vulnerability (John Jackson & Harold Hunt).
- 2020-11-06 – CVE Requested.
- 2020-11-08 – CVE Assigned CVE-2020-28360.
- 2020-11-08 – Researchers notify npm.
- 2020-11-11 – Maintainer notified.
- 2020-11-11 – Maintainer responds.
- 2020-11-18 – Researcher requests update from maintainer.
- 2020-11-18 – Maintainer asks for clarification.
- 2020-11-18 – Researchers provide examples of usage in the wild.
- 2020-11-19 – Maintainer provides attempted patch.
- 2020-11-19 – Researchers invalidate patch.
- 2020-11-19 – Additional researchers engaged to validate the vulnerability, and create PoC (Sick Codes & Nick Sahler)
- 2020-11-19 – Additional researchers validate further, write PoC, replace regex with more comprehensive netmask package, and submit PR.
- 2020-11-20 – Maintainer notified that PR is in.
- 2020-11-24 – Maintainer merges PR.
- 2020-11-24 – Researchers publishes CVE-2020-28360
Update private-ip to version 2.0.0.