Status: Acknowledged - No fix available

Description: The ip package (version ≤2.0.1) used by bittorrent-tracker has a Server-Side Request Forgery (SSRF) vulnerability related to improper categorization in the isPublic method.

• CVE: GHSA-2p57-rm9w-gvfp
• CVSS Score: 8.1 (High)
• Affected Package: ip (transitive dependency via bittorrent-tracker)
• Direct Dependency: bittorrent-tracker@11.2.2 (latest version)

Mitigation:

• The vulnerability is in a transitive dependency with no patched version available
• The bittorrent-tracker package is already using the latest version (11.2.2)
• The ip package has no newer versions beyond 2.0.1 (which is vulnerable)
• The actual usage of the ip package in bittorrent-tracker is minimal and primarily for IP address parsing
• The SSRF risk is low in typical PigeonWT deployments as the tracker doesn't make outbound requests based on user-controlled IP addresses

Recommendations:

1. Monitor for updates to either ip or bittorrent-tracker packages
2. Consider network-level protections (firewall rules, network segmentation)
3. Run the tracker in isolated network environments when possible
4. Regularly check for updates: npm audit and npm outdated

Tracking:

• Watch for updates to bittorrent-tracker that may switch to an alternative package
• Monitor the ip package repository for security patches: https://github.com/indutny/node-ip

1. Network Isolation

   • Run trackers in isolated network segments
   • Use firewall rules to restrict outbound connections
   • Implement rate limiting at the network level

2. Regular Updates

   • Keep dependencies up to date: npm update
   • Monitor security advisories: npm audit
   • Subscribe to GitHub security advisories for dependencies

3. Access Control

   • Use environment variables for sensitive configuration
   • Never commit secrets or API keys to the repository
   • Implement authentication if deploying publicly

4. Monitoring

   • Monitor server logs for suspicious activity
   • Track resource usage and connection patterns
   • Set up alerts for unusual traffic patterns

5. Web Interface Security

   • The demo page uses CSP-safe DOM methods (no innerHTML with user data)
   • All user input is properly escaped using textContent
   • WebTorrent connections are peer-to-peer with WebRTC encryption

If you discover a security vulnerability in PigeonWT, please report it by:

1. Opening a private security advisory on GitHub
2. Or emailing the maintainers directly

Please do not open public issues for security vulnerabilities.

• 2025-10-25: Initial security review completed
  • Fixed XSS vulnerability in demo page (commit b8532f8)
  • Documented known ip package vulnerability
  • No critical issues found in application code