- Package:
- src:node-ip
- Source:
- src:node-ip
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2025-10-26 12:59:01 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for node-ip. CVE-2025-59436[0]: | The ip (aka node-ip) package through 2.0.1 (in NPM) might allow SSRF | because the IP address value 017700000001 is improperly categorized | as globally routable via isPublic. NOTE: this issue exists because | of an incomplete fix for CVE-2024-29415. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-59436 https://www.cve.org/CVERecord?id=CVE-2025-59436 [1] https://github.com/indutny/node-ip/issues/162 Regards, Salvatore
Le 26/10/2025 à 09:09, Salvatore Bonaccorso a écrit : Hi, node-ip is no more maintained. I already remove it from dependencies of node-proxy-agents and node-socks. Next steps: - update npm to drop it - ROM-RM node-ip Best regards, Xavier
Hi Xavier, Sounds good as action plan, in particular dropping it for unstable/forky. Regards, Salvatore