CVE-2024-29415
HIGHnode-ip: Incomplete fix for CVE-2023-42282
CVSS v3
8.1
HIGH
EPSS Score
84.3%
exploit probability
CISA KEV
No
known exploited
Exploitation
none
SSVC status
Description
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.
Technical Details
- CVSS v3 Vector
- 3.1
- Published
- 5/27/2024
- Last Modified
- 4/15/2026
Frequently Asked Questions
What is CVE-2024-29415?
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.
Is CVE-2024-29415 actively exploited?
Active exploitation of CVE-2024-29415 has not been confirmed. The EPSS score is 84.3%, indicating the estimated probability of exploitation in the next 30 days.
What is the CVSS score for CVE-2024-29415?
CVE-2024-29415 has a CVSS v3 base score of 8.1 (HIGH severity), with vector string 3.1.
Is CVE-2024-29415 affecting your environment?
Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.