Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2020-28360

UNKNOWN
Published 2020-11-23T20:33:13
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2020-28360. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

Insufficient RegEx in private-ip npm package v1.0.5 and below insufficiently filters reserved IP ranges resulting in indeterminate SSRF. An attacker can perform a large range of requests to ARIN reserved IP ranges, resulting in an indeterminable number of critical attack vectors, allowing remote attackers to request server-side resources or potentially execute arbitrary code through various SSRF techniques.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed CRITICAL

Server-Side Request Forgery in private-ip

GHSA-43ch-2h55-2vj7

Advisory Details

Insufficient RegEx in private-ip npm package v1.0.5 and below insufficiently filters reserved IP ranges resulting in indeterminate SSRF. An attacker can perform a large range of requests to ARIN reserved IP ranges, resulting in an indeterminable number of critical attack vectors, allowing remote attackers to request server-side resources or potentially execute arbitrary code through various SSRF techniques.

Affected Packages

npm private-ip
ECOSYSTEM: ≥0 <2.0.0

CVSS Scoring

CVSS Score

9.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2020-28360
WEB https://github.com/frenchbread/private-ip/commit/840664c4b9ba7888c41cfee9666e9a593db133e9
WEB https://github.com/frenchbread/private-ip
WEB https://johnjhacking.com/blog/cve-2020-28360
WEB https://www.npmjs.com/package/private-ip

Advisory provided by GitHub Security Advisory Database. Published: April 13, 2021, Modified: March 29, 2021

References

https://www.npmjs.com/package/private-ip
https://github.com/frenchbread/private-ip

HackerOne Reports

Unexpected input validation of octal literals in nodejs v15.12.0 and below returns defined values for all undefined octal literals. Critical
sickcodes
Node.js
Use of Inherently Dangerous Function
View Report
Published: 2020-11-23T20:33:13
Last Modified: 2024-08-04T16:33:59.002Z
Copied to clipboard!