Insufficient RegEx in private-ip npm package v1.0.5 and below insufficiently filters reserved IP ranges resulting in indeterminate SSRF. An attacker can perform a large range of requests to ARIN reserved IP ranges, resulting in an indeterminable number of critical attack vectors, allowing remote attackers to request server-side resources or potentially execute arbitrary code through various SSRF techniques.

Affected Packages

npm private-ip

Affected versions: 0 (fixed in 2.0.0)

Related CVEs

CVE-2020-28360

Key Information

GHSA ID

GHSA-43ch-2h55-2vj7

Published

April 13, 2021 3:18 PM

Last Modified

March 29, 2021 9:49 PM

CVSS Score

9.0 /10

Primary Ecosystem

npm

Primary Package

private-ip

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 29, 2025 6:31 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.