[GHSA-qf5v-q897-m77r] The ip (aka node-ip) package through 2.0.1 (in NPM) might...

[bughir0]

Updates

• Affected products
• References
• Source code location
• Summary

Comments
This update adds verifiable upstream metadata for the npm package ip and its source repository indutny/node-ip, and adds the upstream issue that specifically matches this advisory’s octal-format behavior (017700000001). I did not add a patched version or fix commit because I found no merged upstream fix, no newer release than 2.0.1, and no public upstream evidence establishing a patched version.

[helixplant]

Hi,
Thanks for providing this information. This looks like it may be a duplicate of GHSA-2p57-rm9w-gvfp. That advisory does not appear to be patched yet, with the referenced links still showing unmerged and open action items:

• draft - lib: fix parsing for ill-formed addresses indutny/node-ip#143
• open - lib: use Node.js net lib and reject malformed addresses indutny/node-ip#144
• open - Security Advisory: NPM ip package still incorrectly identifies some private IP addresses as public indutny/node-ip#150)

Additionally, the same versions are reported as vulnerable.

Do you have any additional information confirming whether GHSA-2p57-rm9w-gvfp has been patched? We want to avoid adding a duplicate advisory, and if there isn’t a fix yet, it’s unclear how there could be a bypass of a CVE with no available patch.

[bughir0]

Hi, Thanks for providing this information. This looks like it may be a duplicate of GHSA-2p57-rm9w-gvfp. That advisory does not appear to be patched yet, with the referenced links still showing unmerged and open action items:

• draft - lib: fix parsing for ill-formed addresses indutny/node-ip#143
• open - lib: use Node.js net lib and reject malformed addresses indutny/node-ip#144
• open - Security Advisory: NPM ip package still incorrectly identifies some private IP addresses as public indutny/node-ip#150)

Additionally, the same versions are reported as vulnerable.

Do you have any additional information confirming whether GHSA-2p57-rm9w-gvfp has been patched? We want to avoid adding a duplicate advisory, and if there isn’t a fix yet, it’s unclear how there could be a bypass of a CVE with no available patch.

Thanks for reviewing this.

I do not have additional upstream evidence showing that GHSA-2p57-rm9w-gvfp has been patched. In my review, the upstream node-ip repository still shows the related work as open/unmerged, including issue #150 and the linked draft/open PRs, and GHSA-2p57-rm9w-gvfp still describes ip through 2.0.1 as vulnerable. ()

My intent with this submission was only to add verifiable package/source metadata and the upstream issue that specifically matches the octal-form example 017700000001. I do not have evidence of a distinct upstream fix followed by a separate bypass after that fix. Given that, I agree this may be better treated as part of GHSA-2p57-rm9w-gvfp rather than as a separate advisory. ()

If helpful, I’m fine with closing this submission as a duplicate or having the relevant reference folded into GHSA-2p57-rm9w-gvfp instead.