SecuriTricks - CVE-2025-59437

Description

The ip (aka node-ip) package through 2.0.1 (in NPM) might allow SSRF because the IP address value 0 is improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2024-29415. NOTE: in current versions of several applications, connection attempts to the IP address 0 (interpreted as 0.0.0.0) are blocked with error messages such as net::ERR_ADDRESS_INVALID. However, in some situations that depend on both application version and operating system, connection attempts to 0 and 0.0.0.0 are considered connection attempts to 127.0.0.1 (and, for this reason, a false value of isPublic would be preferable).

Product(s) Impacted

Vendor	Product	Versions
Node-ip	Node-ip	<2.0.1

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-918

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	node-ip	node-ip	<2.0.1	/	/	/	/	/	/	/

References

https://cosmosofcyberspace.github.io/CVE-Application-Document.html

https://github.com/indutny/node-ip/tags

CVSS Score

3.2 / 10

CVSS Data - 3.1

Attack Vector: LOCAL
Attack Complexity: HIGH
Privileges Required: NONE
Scope: CHANGED
Confidentiality Impact: NONE
Integrity Impact: LOW
Availability Impact: NONE

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N

View Vector String

Timeline

Published: Sept. 16, 2025, 6:16 a.m.
Last Modified: Sept. 16, 2025, 12:49 p.m.

Status : Awaiting Analysis

CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

More info

Source

cve@mitre.org

CVE-2025-59437