[Git][security-tracker-team/security-tracker][master] Add CVE-2025-59436/node-ip
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Tue Sep 16 09:25:21 BST 2025
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
1d31ed8c by Salvatore Bonaccorso at 2025-09-16T10:24:53+02:00
Add CVE-2025-59436/node-ip
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -11,7 +11,11 @@ CVE-2025-59453 (Click Studios Passwordstate before 9.9 Build 9972 has a potentia
CVE-2025-59437 (The ip (aka node-ip) package through 2.0.1 (in NPM) might allow SSRF b ...)
TODO: check
CVE-2025-59436 (The ip (aka node-ip) package through 2.0.1 (in NPM) might allow SSRF b ...)
- TODO: check
+ - node-ip <unfixed>
+ [bookworm] - node-ip <not-affected> (Incomplete fix for CVE-2024-29415 not applied)
+ [bullseye] - node-ip <not-affected> (Incomplete fix for CVE-2024-29415 not applied)
+ NOTE: https://github.com/indutny/node-ip/issues/160
+ NOTE: CVE exists for an incomplete fix of CVE-2024-29415
CVE-2025-59332 (3DAlloy is a lightWeight 3D-viewer for MediaWiki. From 1.0 through 1.8 ...)
NOT-FOR-US: 3DAlloy
CVE-2025-59145 (color-name is a JSON with CSS color names. On 8 September 2025, an npm ...)
@@ -140867,6 +140871,8 @@ CVE-2024-29415 (The ip package through 2.0.1 for Node.js might allow SSRF becaus
NOTE: https://github.com/indutny/node-ip/issues/150
NOTE: https://github.com/indutny/node-ip/pull/144
NOTE: https://github.com/indutny/node-ip/pull/143
+ NOTE: When fixing the issue make sure to not open CVE-2025-59436 (existing for
+ NOTE: an incomplete fix of CVE-2024-29415).
CVE-2024-27310 (Zoho ManageEngineADSelfService Plus versions below6401 are vulnerable ...)
NOT-FOR-US: Zoho ManageEngine
CVE-2024-0851 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d31ed8c0fcf93265b097964a95792a71dd41106
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d31ed8c0fcf93265b097964a95792a71dd41106
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250916/27b8c6a7/attachment.htm>
More information about the debian-security-tracker-commits
mailing list