Submission + - The SSRF Blocker That Didn't: NPM Private-IP Flaw Could Affect Millions of Apps (securityledger.com)
According to John Jackson of Shutterstock, who helped discover the flaw, the SSRF flaw could allow malicious attackers to launch local or remote attacks against vulnerable apps: installing malicious code or gaining access to protected data and resource.(https://johnjhacking.com/blog/cve-2020-28360/)
It is just the latest incident to raise questions about the security of the “software supply chain. Private-IP is a single developer project created by Damir Mustafin (aka "frenchbread"), a Montenegro-based developer, in August 2016. In four years, the code had been updated just once, in April, 2017, prior to the security hold being discovered and patched this month. Despite that, its reach is massive. It has an average of 14,000 downloads weekly, according to data from GitHub. And direct downloads of private-ip are just one measure of its use. Fully 355 publicly identified npm modules are dependents of private-ip v1.0.5, which contains the SSRF flaws. An additional 73 GitHub projects have dependencies on private-ip. All told, that accounts for 153,374 combined weekly downloads of private-ip and its dependents. One of the most widely used applications that relies on private-ip is libp2p, an open source network stack that is used in a wide range of decentralized peer-to-peer applications, according to Jackson. The total population of applications that use private-ip, knowingly or unknowingly, could number in the millions he said. In fact, private-ip may be the true source of a long list of SSRF vulnerabilities that have been independently discovered and reported in the last five years, Jackson said."This may be why a lot of enterprises have struggled with SSRF and block list bypasses,” he said.