Fyodor Hindu, author of the IO.js platform (Fork Node.js) and a member of the Technical Committee on the development of node.js, raised the issue of the improper assignment of CVE identifiers for false reports on vulnerabilities that do not accurately reflect the actual threat level. He highlighted the fact that CVE identifiers are allocated without proper verification and consultation with developers, allowing attackers to exploit minor issues as critical vulnerabilities.
These false CVE identifiers not only tarnish the reputation of projects but also create a significant burden on developers who have to address numerous requests and messages related to such CVE. Developers are unable to dispute the assigned threat level or have CVEs revoked, adding to the challenges they face.
One specific case highlighted by Hindu involves the node-ip library for node.js. The library, which was downloaded approximately 30 million times a week prior to a vulnerability report, saw a drastic decrease in downloads to 17 million per week over 5 months following the publication of the report. This decline in popularity was attributed to the report of a critical vulnerability.
Node-IP is utilized in over 3,500 projects, and the false CVE caused warnings when the NPM Audit command was executed. After several unsuccessful attempts to lower the threat level in CVE, the Node-IP developer placed the project in an archived state due to the influx of complaints and messages. The repository was later restored.
The vulnerability report designated as cve-2023-42282 was published in early February. The vulnerability researcher had identified the issue and sought a reward on the Huntr platform starting in December 2022. Despite reaching out to Node-IP developers for over a year to address the problem, the details were only made public after these efforts.
The vulnerability stemmed from the functions of ISPUBLIC() and ISPRIVATE(), which only processed the canonical representation of IP addresses. This led to erroneous verification results when unconventional address formats were used, making it possible to exploit the error for bypassing SSRF protection or checking resource access. The CVE rated the vulnerability as critical (9.8 out of 10).
The Node-IP author contested the severity of the vulnerability, stating that a successful attack required specific manipulation of the values in the ISPUBLIC() and ISPRIVATE() functions. Typically, accurate information on client IP addresses is sourced from system functions or web server variables.
To address the issue, versions 1.1.9 and 2.0.1 of Node-IP were released in