VYPR

npm package

private-ip

pkg:npm/private-ip

Vulnerabilities (2)

  • CVE-2025-8020HigJul 23, 2025
    affected <= 3.0.2

    All versions of the package private-ip are vulnerable to Server-Side Request Forgery (SSRF) where an attacker can provide an IP or hostname that resolves to a multicast IP address (224.0.0.0/4) which is not included as part of the private IP ranges in the package's source code.

  • CVE-2020-28360CriNov 23, 2020
    affected < 2.0.0fixed 2.0.0

    Insufficient RegEx in private-ip npm package v1.0.5 and below insufficiently filters reserved IP ranges resulting in indeterminate SSRF. An attacker can perform a large range of requests to ARIN reserved IP ranges, resulting in an indeterminable number of critical attack vectors,