NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks

Question

github dependabot alerts me this security issue in my angular repo

An issue in all published versions of the NPM package ip allows an attacker to execute arbitrary code and obtain sensitive information via the isPublic() function. This can lead to potential Server-Side Request Forgery (SSRF) attacks. The core issue is the function's failure to accurately distinguish between public and private IP addresses.

more details:

• my angular app version is 14.2.0
• node version is 18.15.0

I'm new in nodeJs & angular and I'm not expecting anything yet.

please help :)

Answer 1

It is not completely fixed in 1.1.9 and 2.0.1 (See https://github.com/indutny/node-ip/pull/143). You can manually inspect whether you are actually vulnerable (likely not), or switch to another actively maintained library instead.

---

This vulnerability is now fixed in ip 1.1.9 and 2.0.1. If you are not sure, you can just use the latest version. Dependabot may have opened a pull request for you, then you can just merge it. Otherwise, you may use npm update ip, or add an overrides field in package.json:

{
  "overrides": {
    "ip": "^2.0.1" // or ^1.1.9
  }
}

Reference: node.js - How to update npm nested (vulnerable) dependency? - Stack Overflow

---

Original answer:

It should be fine if your app (the part that may directly or indirectly use the ip npm package) is frontend only.

Even if the ip package is used in the backend deployed in production, it's still very likely that your app is not vulnerable. You can investigate your lock file or use npm why ip to see what packages depend on the ip package and how they are used. Server Side Request Forgery Prevention - OWASP Cheat Sheet Series explains what an SSRF attack is. The ip package vulnerability is exploitable if the isPublic function is used to guard a network request.