Vulnerability: express-ipfilter use Depends on vulnerable versions of ip package

[DmytroShalaiev]

ip *
Severity: high
NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks - GHSA-78xj-cgh5-2h22
No fix available
node_modules/ip
express-ipfilter *
Depends on vulnerable versions of ip
node_modules/express-ipfilter

[jetersen]

Not relevant, we do not use isPublic, see https://github.com/search?q=repo%3Ajetersen%2Fexpress-ipfilter%20isPublic&type=code

[DmytroShalaiev]

Thanks for reply, I am about this package https://github.com/jetersen/express-ipfilter/blob/master/package.json#L78

[DmytroShalaiev]

But seems there is no fix from https://github.com/indutny/node-ip

[jetersen]

But the vulnerability is only in there if you actively use isPublic
Please read the CVE.

[DmytroShalaiev]

Oh, sure, I understood, thanks for the reply.

[odubuc]

This logic doesn't compute for me.
what is the downside to upgrade and get rid of false positive report ?

[jetersen]

Feel free to submit a PR. There are plenty of false positive.

[jetersen]

Fixed in https://github.com/jetersen/express-ipfilter/releases/tag/v1.3.2

[odubuc]

Thanks will do next time. I misunderstood your comment

[jetersen]

@odubuc well you can read this: indutny/node-ip#136 (comment) it details the issue I have with this CVE