🚨 Security Vulnerability: ip npm package is unsafe for use as of v1.1.8

[taylorjdawson]

NPM ip package is vulnerable to Server-Side Request Forgery (SSRF) attacks, see GitHub advisory for more information.

Effected packages:

• @react-native-community/cli-doctor@12.3.2 includes ip in the package.json file but doesn't appear to be used in the code itself.

• @react-native-community/cli-hermes@12.3.2:
  It looks like the ip.isPublic isn't explictly used within the @react-native-community/cli-hermes@12.3.2 pkg:

  cli/packages/cli-hermes/src/profileHermes/sourcemapUtils.ts

  Line 37 in 2602f83

  const IP_ADDRESS = ip.address();

  However, ip.address does call ip.isPublic under the hood:

  //...
        return name === 'public' ? ip.isPrivate(details.address)
      : ip.isPublic(details.address);
  });
  

Could potentially introduce a function to check that the IP address isn't private or reserved using the ipaddr.js lib

// Function to check if the IP address is safe to use (not private or reserved)
function isSafeIPAddress(ipAddress) {
  try {
    const addr = ipaddr.parse(ipAddress);

    // Check if the IP address is in a private or reserved range
    const range = addr.range();
    return range !== 'private' && range !== 'loopback' && range !== 'linkLocal' && range !== 'uniqueLocal';
  } catch (e) {
    console.error("Error parsing IP address:", e);
    return false; // Consider the IP address unsafe if it cannot be parsed
  }
}

[glitch-txs]

seems like this upstreams to the latest version of react-native

[darakeon]

The ip package last update was 2 years ago.
https://www.npmjs.com/package/ip

My problem is with puppeteer instead of react, but same issue: will really ip package be updated? I think it is not maintained anymore...

[glitch-txs]

anyone find any workaround pls share here, thanks!

there's no workaround, the library needs to be either patched or replaced

[thymikee]

FYI, the only affected command is profile-hermes when producing source maps. If you're not using it on a server (e.g. your CI), you're safe to ignore this and wait for us to patch it once we have a proper solution. If you are using it however, please disable it temporarily.

[henriquelomarques]

same error here

[antoinecaputo]

The PR is opened here and should probably be merged soon.

[mnikolaus]

The PR is opened here and should probably be merged soon.

I wouldn't count on it to be merged soon... I've seen a lot of depended libraries moving away from ip lib. I think @taylorjdawson proposal is very sound

[whayu901]

anyone find any workaround pls share here, thanks!

there's no workaround, the library needs to be either patched or replaced

i have tried patched the ip library. But still not work for me

[lsmith77]

FYI there is now a 1.1.9 and 2.0.1.

However the CVE needs to be updated to allow the 1.1.9 release to be seen as a valid fix:
github/advisory-database#3553

[thymikee]

1.1.9 is within the semver range so refreshing the lock file should be enough. Additionally we merged #2299 (which drops the dependency on ip offering an alternative) which we intend to backport to RN 0.72 and 0.71 – although with the fix being within the semver range, I'm not sure if that's gonna be necessary and will leave that to the RN release crew to decide.

[lsmith77]

yeah .. I just wanted to point out that this release now exists and that people might still see dependabot etc complain until the CVE is updated.

[thymikee]

Thanks for doing that @lsmith77

[azmainamin]

If using React Native version 0.68.2. How can we get the patch/fix?

[thymikee]

@azmainamin it should be enough to regenerate the lockfile entry for this package in your project, now that github/advisory-database#3553 is merged