CVE-2024-28607

CVE-2024-28607.md

Vulnerability Report: Bypass in isPrivate() Function

CVE-2024-28607

Summary: An issue in the isPrivate() function of the NPM ip-utils package (version 2.4.0 and before) allows an attacker to bypass private IP detection, potentially leading to security risks such as unauthorized access, SSRF, or information leakage.

• https://github.com/librasean/IP-Utils/blob/4f88799f94f21efe6ea9135129ab2bbeb0c58edc/src/IsPrivate.ts#L4

---

Affected Function:

Source Code:

function isPrivate (ipaddress: string): Boolean {
  return /^(::f{4}:)?10\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})$/i
      .test(ipaddress) ||
    /^(::f{4}:)?192\.168\.([0-9]{1,3})\.([0-9]{1,3})$/i.test(ipaddress) ||
    /^(::f{4}:)?172\.(1[6-9]|2\d|30|31)\.([0-9]{1,3})\.([0-9]{1,3})$/i
      .test(ipaddress) ||
    /^(::f{4}:)?127\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})$/i.test(ipaddress) ||
    /^(::f{4}:)?169\.254\.([0-9]{1,3})\.([0-9]{1,3})$/i.test(ipaddress) ||
    /^f[cd][0-9a-f]{2}:/i.test(ipaddress) ||
    /^fe80:/i.test(ipaddress) ||
    /^::1$/.test(ipaddress) ||
    /^::$/.test(ipaddress);
}

Bypasses Identified:

1. Non-Standard IPv4 Representation Bypass

Some non-standard notations bypass the private IP detection:

• isPrivate("0x7f.1") → Expected true, but returns false (127.0.0.1 in hexadecimal notation)
• isPrivate("127.1") → Expected true, but returns false (shorthand for 127.0.0.1)

2. Octal Representation Bypass

• isPrivate("0177.0.0.1") → Expected true, but returns false (0177 = 127 in octal notation)

Impact:

• Security Risk: Attackers can use these bypass techniques to evade security controls, leading to potential Server-Side Request Forgery (SSRF), access control bypass, or information leakage.
• Affected Applications: Any application relying on this function for private IP detection may be vulnerable.