CVE-2025-59436 — Vulnetix

CVE-2025-59436 PUBLISHED CVSS 3.200000047683716 LOW

The ip (aka node-ip) package through 2.0.1 (in NPM) might allow SSRF because the IP address value 017700000001 is improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2024-29415.

EPSS 0.02% · 5.5th percentile

Risk Scores

CVSS 3.1

3.200000047683716

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N

EPSS Score

0.02%

5.5th percentile

Affected Products

Vendor	Product	Versions
fedorindutny	ip	0

Exploit Intelligence

CIRCL seen: CVE-2025-59436 (circl-sighting)
https://cosmosofcyberspace.github.io/CVE-Application-Document.html (circl)
https://github.com/indutny/node-ip/issues/160 (circl)

Timeline

Sep 16, 2025 CVE Published
Sep 16, 2025 EPSS Score
Sep 16, 2025 Coalition ESS Score
Sep 16, 2025 PoC Published
Sep 16, 2025 CVE Updated
Sep 23, 2025 EPSS Score
Sep 30, 2025 EPSS Score
Oct 4, 2025 Coalition ESS Score
Oct 6, 2025 Coalition ESS Score
Oct 7, 2025 EPSS Score
Oct 14, 2025 EPSS Score
Oct 18, 2025 Coalition ESS Score

References

Open in Interactive Console →