Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2023-42282 | npm ip package vulnerable to SSRF or RCE #5761

Closed
boxexchanger opened this issue Feb 11, 2024 · 2 comments
Closed

CVE-2023-42282 | npm ip package vulnerable to SSRF or RCE #5761

boxexchanger opened this issue Feb 11, 2024 · 2 comments

Comments

@boxexchanger
Copy link

boxexchanger commented Feb 11, 2024
edited
Loading

CVE-2023-42282 GHSA-78xj-cgh5-2h22
https://nvd.nist.gov/vuln/detail/CVE-2023-42282
TooTallNate/proxy-agents#280

Severity: high
NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks

Will install pm2@3.5.2, which is a breaking change
node_modules/ip
  pac-resolver  >=1.3.0
  Depends on vulnerable versions of ip
  node_modules/pac-resolver
    pac-proxy-agent  >=1.1.0
    Depends on vulnerable versions of pac-resolver
    node_modules/pac-proxy-agent
      proxy-agent  >=2.1.0
      Depends on vulnerable versions of pac-proxy-agent
      node_modules/proxy-agent
        @pm2/agent  >=0.5.25
        Depends on vulnerable versions of proxy-agent
        node_modules/@pm2/agent
          pm2  >=4.0.0
          Depends on vulnerable versions of @pm2/agent
          node_modules/pm2
@boxexchanger boxexchanger changed the title CVE-2023-42282 | npm IP package vulnerable to Server-Side Request Forgery (SSRF) CVE-2023-42282 | npm ip package vulnerable to Server-Side Request Forgery (SSRF) Feb 11, 2024
@boxexchanger boxexchanger changed the title CVE-2023-42282 | npm ip package vulnerable to Server-Side Request Forgery (SSRF) CVE-2023-42282 | npm ip package vulnerable to SSRF or RCE Feb 11, 2024
@OIRNOIR
Copy link

OIRNOIR commented Feb 12, 2024
edited
Loading

proxy-agent has released an update to fix the vulnerability by removing the ip package it depends on. Run npm update.

@boxexchanger
Copy link
Author

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@OIRNOIR @boxexchanger