CVE-2020-28360

Name of the Vulnerable Software and Affected Versions private-ip npm package versions 1.0.5 and below

Description The issue is related to insufficient RegEx filtering in the private-ip npm package, which results in indeterminate Server-Side Request Forgery (SSRF). This allows remote attackers to request server-side resources or potentially execute arbitrary code through various SSRF techniques by performing a large range of requests to ARIN reserved IP ranges. The vulnerability is estimated to affect over 12,000 weekly installs.

Recommendations For private-ip npm package versions 1.0.5 and below, update to a version above 1.0.5 to resolve the issue. As a temporary workaround, consider restricting access to the private-ip package until a patch is available. Avoid using the package for filtering reserved IP ranges until the issue is resolved.