-
Notifications
You must be signed in to change notification settings - Fork 899
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🚨 Security Vulnerability: ip npm package is unsafe for use as of v1.1.8 #2294
Comments
This comment was marked as duplicate.
This comment was marked as duplicate.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as duplicate.
This comment was marked as duplicate.
seems like this upstreams to the latest version of react-native |
This comment was marked as duplicate.
This comment was marked as duplicate.
The ip package last update was 2 years ago. My problem is with puppeteer instead of react, but same issue: will really ip package be updated? I think it is not maintained anymore... |
This comment was marked as off-topic.
This comment was marked as off-topic.
there's no workaround, the library needs to be either patched or replaced |
FYI, the only affected command is |
### Feature or Bugfix - Bugfix ### Detail - Add `.nsprc` file for ignored vulnerabilities in `better-npm-audit`. - Added `ip` package to ignored vulnerabilities with expiration 2024/02/28: https://www.cve.org/CVERecord?id=CVE-2023-42282 The vulnerability found in `ip` affects us because we use the `react-native-community/cli` package. In this package repository an [issue reporting the vulnerabilty](react-native-community/cli#2294) was already raised. Update: `ip` team is working on a fix: indutny/node-ip#138 ### Relates - https://www.cve.org/CVERecord?id=CVE-2023-42282 ### Security Please answer the questions below briefly where applicable, or write `N/A`. Based on [OWASP 10](https://owasp.org/Top10/en/). - Does this PR introduce or modify any input fields or queries - this includes fetching data from storage outside the application (e.g. a database, an S3 bucket)? - Is the input sanitized? - What precautions are you taking before deserializing the data you consume? - Is injection prevented by parametrizing queries? - Have you ensured no `eval` or similar functions are used? - Does this PR introduce any functionality or component that requires authorization? - How have you ensured it respects the existing AuthN/AuthZ mechanisms? - Are you logging failed auth attempts? - Are you using or adding any cryptographic features? - Do you use a standard proven implementations? - Are the used keys controlled by the customer? Where are they stored? - Are you introducing any new policies/roles/users? - Have you used the least-privilege principle? How? By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Problem: no fix yet for IP package: react-native-community/cli#2294
same error here |
The PR is opened here and should probably be merged soon. |
I wouldn't count on it to be merged soon... I've seen a lot of depended libraries moving away from |
i have tried patched the ip library. But still not work for me |
Problem: no fix yet for IP package: react-native-community/cli#2294
FYI there is now a 1.1.9 and 2.0.1. However the CVE needs to be updated to allow the 1.1.9 release to be seen as a valid fix: |
1.1.9 is within the semver range so refreshing the lock file should be enough. Additionally we merged #2299 (which drops the dependency on |
yeah .. I just wanted to point out that this release now exists and that people might still see dependabot etc complain until the CVE is updated. |
Thanks for doing that @lsmith77 |
If using React Native version 0.68.2. How can we get the patch/fix? |
@azmainamin it should be enough to regenerate the lockfile entry for this package in your project, now that github/advisory-database#3553 is merged |
NPM
ip
package is vulnerable to Server-Side Request Forgery (SSRF) attacks, see GitHub advisory for more information.Effected packages:
@react-native-community/cli-doctor@12.3.2
includes ip in the package.json file but doesn't appear to be used in the code itself.@react-native-community/cli-hermes@12.3.2
:It looks like the
ip.isPublic
isn't explictly used within the@react-native-community/cli-hermes@12.3.2
pkg:cli/packages/cli-hermes/src/profileHermes/sourcemapUtils.ts
Line 37 in 2602f83
However,
ip.address
does callip.isPublic
under the hood:Could potentially introduce a function to check that the IP address isn't private or reserved using the
ipaddr.js
libThe text was updated successfully, but these errors were encountered: