Summary
Affected versions of get-ip-range are vulnerable to denial of service in case the ip-range is an untrusted input. An attacker could send a large range of IPs e.g. ‘192.168.1.1/0’ and result in a JavaScript heap out of memory crash.
Product
get-ip-range before 4.0.0.
Impact
Crashing a program that passes user input to get-ip-range.
Steps to reproduce
1 | import { getIPRange } from 'get-ip-range'; |
Expected result:
JavaScript heap out of memory crash.
Remediation
Update get-ip-range dependency to 4.0.0 or above.
Credit
This issue was discovered and reported by Checkmarx SCA Security Researcher Yaniv Nizry.
Resources
- Commit 98ca22b