• progandy@feddit.de
    link
    fedilink
    arrow-up
    10
    arrow-down
    1
    ·
    4 months ago

    It’s interesting, that it would be hard to make a case that there was a “vulnerability” in the ip package. But it seems like this package’s entire purpose is input validation so it’s kind of weird the dev thinks otherwise.

    Yes, input validation, probably for forms. What the Dev disputes is that he cannot see a case where it is used in a security critical way where

    1. the input format is unknown and
    2. it is essential to know if the IP is public or private.
    • SirQuackTheDuck@lemmy.world
      link
      fedilink
      arrow-up
      11
      ·
      4 months ago

      Even worse, the CVE is effectively “if you use the package wrong, you get weird results”.

      The affected method has signature function isPrivate(ip: string): boolean. Passing in a hex number is not a string, and a method (toString) exists for this.