CVE-2024-29415

8.1 HIGH

Published: May 27, 2024 Modified: April 15, 2026

Description

The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0

Vector String

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

https://github.com/indutny/node-ip/issues/150

Source: cve@mitre.org

https://github.com/indutny/node-ip/pull/143

Source: cve@mitre.org

https://github.com/indutny/node-ip/pull/144

Source: cve@mitre.org

https://github.com/indutny/node-ip/issues/150

Source: af854a3a-2127-422b-91ae-364da2661108

https://github.com/indutny/node-ip/pull/143

Source: af854a3a-2127-422b-91ae-364da2661108

https://github.com/indutny/node-ip/pull/144

Source: af854a3a-2127-422b-91ae-364da2661108

https://security.netapp.com/advisory/ntap-20250117-0010/

Source: af854a3a-2127-422b-91ae-364da2661108

7 reference(s) from NVD

Quick Stats

CVSS v3 Score

8.1 / 10.0

EPSS (Exploit Probability)

84.6%

99th percentile

Exploitation Status

Not in CISA KEV

Weaknesses (CWE)

CWE-918 CWE-941

Related CVEs

CVE-2026-5231 7.2

CVE-2026-5162 6.4

CVE-2026-4817 6.5

CVE-2026-3488 6.5

CVE-2026-40922 N/A