CVE-2025-59437

NameCVE-2025-59437
DescriptionThe ip (aka node-ip) package through 2.0.1 (in NPM) might allow SSRF because the IP address value 0 is improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2024-29415. NOTE: in current versions of several applications, connection attempts to the IP address 0 (interpreted as 0.0.0.0) are blocked with error messages such as net::ERR_ADDRESS_INVALID. However, in some situations that depend on both application version and operating system, connection attempts to 0 and 0.0.0.0 are considered connection attempts to 127.0.0.1 (and, for this reason, a false value of isPublic would be preferable).
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1119021

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-ip (PTS)bullseye1.1.5-5fixed
bookworm2.0.0+~1.1.0-1fixed
forky, sid, trixie2.0.1+~1.1.3-3vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-ipsourcebullseye(not affected)
node-ipsourcebookworm(not affected)
node-ipsource(unstable)(unfixed)1119021

Notes

[trixie] - node-ip <no-dsa> (Minor issue)
[bookworm] - node-ip <not-affected> (Incomplete fix for CVE-2024-29415 not applied)
[bullseye] - node-ip <not-affected> (Incomplete fix for CVE-2024-29415 not applied)
https://github.com/indutny/node-ip/issues/160
CVE exists for an incomplete fix of CVE-2024-29415
Search for package or bug name: Reporting problems