Plattform
nodejs
Komponente
ip
Behoben in
2.0.2
CVE-2025-59436 describes a Server-Side Request Forgery (SSRF) vulnerability found in the ip (also known as node-ip) Node.js package. This flaw arises from an improper categorization of the IP address 017700000001 as globally routable, potentially allowing attackers to initiate unauthorized requests. The vulnerability affects versions 0.0 through 2.0.1 of the package, and a fix is available in version 2.0.2.
The SSRF vulnerability in the ip package arises from an incomplete fix addressing CVE-2024-29415. Specifically, the package incorrectly categorizes the IP address 017700000001 as globally routable, even though it is not. An attacker could leverage this misclassification to craft malicious requests that bypass intended security controls. Successful exploitation could allow an attacker to scan internal networks, access sensitive data residing on internal servers, or even interact with internal services that are not exposed to the public internet. The blast radius depends on the internal network's configuration and the sensitivity of the resources accessible from the server running the vulnerable package.
CVE-2025-59436 was published on 2025-09-16. The vulnerability is related to a previous SSRF issue (CVE-2024-29415) and represents an incomplete remediation. There is no indication of active exploitation or KEV listing at the time of writing. Public proof-of-concept code is not yet available, but the SSRF nature of the vulnerability makes it likely that such code will emerge.
Applications built with Node.js that utilize the ip package for IP address manipulation are at risk. This includes applications deployed in cloud environments where access to metadata services is a concern, as well as applications that handle user-supplied IP addresses without proper validation.
• nodejs / supply-chain:
npm list ip
npm audit ip• generic web:
curl -I http://your-node-app/ip-endpoint # Check for unexpected outbound requests in response headers
grep -r '017700000001' /var/log/nginx/access.log # Look for requests containing the problematic IP address in access logsdisclosure
Exploit-Status
EPSS
0.01% (2% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-59436 is to upgrade the ip package to version 2.0.2 or later. This version includes the corrected logic to properly identify globally routable IP addresses. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) or proxy to filter outbound requests and block those that appear malicious. Specifically, block requests originating from or destined for the problematic IP address 017700000001. Review and restrict network access controls to limit the potential impact of a successful SSRF attack. After upgrading, verify the fix by attempting to make a request using the problematic IP address and confirming that it is correctly classified as non-routable.
Aktualisieren Sie das `ip` Paket auf eine Version, die neuer als 2.0.1 ist, falls eine korrigierte Version verfügbar ist. Dies mildert die SSRF-Schwachstelle, die durch die falsche Kategorisierung bestimmter IP-Adressen als öffentlich routbar verursacht wird. Weitere Details zur Behebung finden Sie in den Versionshinweisen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-59436 is a Server-Side Request Forgery (SSRF) vulnerability in the ip Node.js package, allowing attackers to potentially trigger unauthorized requests.
You are affected if your application uses the ip Node.js package versions 0.0 through 2.0.1.
Upgrade the ip Node.js package to version 2.0.2 or later. Implement input validation as a temporary workaround.
As of the current date, there are no publicly available proof-of-concept exploits or confirmed active exploitation campaigns.
Refer to the npm advisory and the ip Node.js package repository for updates and official information: [https://www.npmjs.com/advisories/1766](https://www.npmjs.com/advisories/1766)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.