There are 2 open security issues in bookworm.
2 issues left for the package maintainer to handle:
- CVE-2023-42282:
(needs triaging)
The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.
- CVE-2024-29415:
(needs triaging)
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.
You can find information about how to handle these issues in the security team's documentation.