🚨 Security Vulnerability: ip npm package is unsafe for use as of v1.1.8

[taylorjdawson]

NPM ip package is vulnerable to Server-Side Request Forgery (SSRF) attacks, see GitHub advisory for more information.

Effected packages:

• @react-native-community/cli-doctor@12.3.2 includes ip in the package.json file but doesn't appear to be used in the code itself.

• @react-native-community/cli-hermes@12.3.2:
  It looks like the ip.isPublic isn't explictly used within the @react-native-community/cli-hermes@12.3.2 pkg:

  cli/packages/cli-hermes/src/profileHermes/sourcemapUtils.ts

  Line 37 in 2602f83

  const IP_ADDRESS = ip.address();

  However, ip.address does call ip.isPublic under the hood:

  //...
        return name === 'public' ? ip.isPrivate(details.address)
      : ip.isPublic(details.address);
  });
  

Could potentially introduce a function to check that the IP address isn't private or reserved using the ipaddr.js lib

// Function to check if the IP address is safe to use (not private or reserved)
function isSafeIPAddress(ipAddress) {
  try {
    const addr = ipaddr.parse(ipAddress);

    // Check if the IP address is in a private or reserved range
    const range = addr.range();
    return range !== 'private' && range !== 'loopback' && range !== 'linkLocal' && range !== 'uniqueLocal';
  } catch (e) {
    console.error("Error parsing IP address:", e);
    return false; // Consider the IP address unsafe if it cannot be parsed
  }
}

[IzumiKomatsu]

Thanks, i'm facing the same issue.

[szymonrybczak]

hey @taylorjdawson, thanks for reporting! I've just created #2295 bumping ip package 👍

[taylorjdawson]

@szymonrybczak does that fix it though? The issue I believe is with the latest version of the ip package.

[szymonrybczak]

@taylorjdawson ah, right. I wrongly looked and I thought it was <1.1.18, let's see if maintainers will release a patch fix.

[DiNMEA]

so im not only one who faced that problem :/
anyone found an fix to this? i need to complete the tasks real bad lol

[glitch-txs]

seems like this upstreams to the latest version of react-native

[salmaazakii]

Hey, I'm facing the same issue, Should I downgrade my @react-native-community/cli package version to a certain one so it will not be affected by the latest upgrade?

this is the 'npm audit' result:

npm audit report

ip <=1.1.8
Severity: high
NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks - GHSA-78xj-cgh5-2h22
fix available via npm audit fix --force
Will install react-native@0.68.7, which is a breaking change
node_modules/ip
@react-native-community/cli-doctor *
Depends on vulnerable versions of ip
node_modules/@react-native-community/cli-doctor
@react-native-community/cli >=4.13.0
Depends on vulnerable versions of @react-native-community/cli-doctor
Depends on vulnerable versions of @react-native-community/cli-hermes
node_modules/@react-native-community/cli
react-native <=0.0.0-ffdfbbec0 || >=0.69.0-rc.0
Depends on vulnerable versions of @react-native-community/cli
node_modules/react-native
react-native-pie-chart >=3.0.0
Depends on vulnerable versions of react-native
node_modules/react-native-pie-chart
@react-native-community/cli-hermes *
Depends on vulnerable versions of ip
node_modules/@react-native-community/cli-hermes

thank you in advance

[darakeon]

The ip package last update was 2 years ago.
https://www.npmjs.com/package/ip

My problem is with puppeteer instead of react, but same issue: will really ip package be updated? I think it is not maintained anymore...

[jxia-innablr]

anyone find any workaround pls share here, thanks!

[glitch-txs]

anyone find any workaround pls share here, thanks!

there's no workaround, the library needs to be either patched or replaced

[thymikee]

FYI, the only affected command is profile-hermes when producing source maps. If you're not using it on a server (e.g. your CI), you're safe to ignore this and wait for us to patch it once we have a proper solution. If you are using it however, please disable it temporarily.