High severity8.1NVD Advisory· Published May 27, 2024· Updated Apr 15, 2026
CVE-2024-29415
CVE-2024-29415
Description
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ipnpm | <= 2.0.1 | — |
Patches
2eb8f485c04152bc51ccf17d8Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-2p57-rm9w-gvfpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-29415ghsaADVISORY
- github.com/indutny/node-ip/issues/150nvdWEB
- github.com/indutny/node-ip/pull/143nvdWEB
- github.com/indutny/node-ip/pull/144nvdWEB
- security.netapp.com/advisory/ntap-20250117-0010ghsaWEB
- security.netapp.com/advisory/ntap-20250117-0010/nvd
News mentions
0No linked articles in our index yet.