The popular open source project, 'ip' had its GitHub repository archived, or made "read-only" by its developer as a result of a dubious CVE report filed for his project. Unfortunately, open-source developers have recently been met with an uptick in debatable or outright bogus CVEs filed for their projects.
  • progandy@feddit.de
    101·
    4 months ago

    It’s interesting, that it would be hard to make a case that there was a “vulnerability” in the ip package. But it seems like this package’s entire purpose is input validation so it’s kind of weird the dev thinks otherwise.

    Yes, input validation, probably for forms. What the Dev disputes is that he cannot see a case where it is used in a security critical way where

    1. the input format is unknown and
    2. it is essential to know if the IP is public or private.
    • SirQuackTheDuck@lemmy.world
      11·
      4 months ago

      Even worse, the CVE is effectively “if you use the package wrong, you get weird results”.

      The affected method has signature function isPrivate(ip: string): boolean. Passing in a hex number is not a string, and a method (toString) exists for this.