It’s interesting, that it would be hard to make a case that there was a “vulnerability” in the ip package. But it seems like this package’s entire purpose is input validation so it’s kind of weird the dev thinks otherwise.
Yes, input validation, probably for forms. What the Dev disputes is that he cannot see a case where it is used in a security critical way where
the input format is unknown and
it is essential to know if the IP is public or private.
Even worse, the CVE is effectively “if you use the package wrong, you get weird results”.
The affected method has signature functionisPrivate(ip: string): boolean. Passing in a hex number is not a string, and a method (toString) exists for this.
Yes, input validation, probably for forms. What the Dev disputes is that he cannot see a case where it is used in a security critical way where
Even worse, the CVE is effectively “if you use the package wrong, you get weird results”.
The affected method has signature
function isPrivate(ip: string): boolean
. Passing in a hex number is not a string, and a method (toString
) exists for this.