[aPoCoMiLogin]

the CVE for the node-ip requires also few special conditions - very uncommon format (never seen IP in hex anywhere), use of `isPublic` function (this lib has more functions), and even if this two conditions were meet, there is still one more condition - the ability to do SSRF. 9.8 score in this case is crazy.

don't get me wrong, it is an issue, but not critical, making everything critical, for frontend libs on npm creates fatigue and nobody takes these scores seriously anymore. in case of real issue, nobody will care enough to patch it, as everything is critical.

[SpicyLemonZest]

I don't think you're wrong, but it gets to the underlying question of what these systems are for. If you start from the perspective that you're going to patch all known CVEs, it doesn't seem like a big practical problem that this is 9.8 - it's unlikely your system is exposed, but equally unlikely you'd have a hard time upgrading node-ip. If you're not going to patch all known CVEs, CVSS scores aren't a useful guide to which ones are absolute must-fixes; Heartbleed was famously 5.0 when disclosed, and it's still only a 7.5 on the new scale.

[aPoCoMiLogin]

here's recent openssh RCE classified as 9.8 https://www.qualys.com/regresshion-cve-2024-6387/

the difference: you can find affected openssh servers, with the node-ip issue you have to find very rare instance that would allow for SSRF and create exploit for the exact use case. with openssh you can make it really broad.

so the 9.8 score for node-ip is crazy high, and nobody should question it, it should be ~6 max

[SpicyLemonZest]

Again, the score is mechanically calculated from specific features of the vulnerability, and the number of instances on the Internet which are exposed isn't one of those features.

I would agree that the CVSS is not, in this instance, measuring something particularly related to the practical importance of the vulnerability. I agree nobody can really dispute that. But does that mean that the next version of CVSS should include "I bet not many systems are exposed" or "I subjectively think this isn't that bad" dimensions? I'm skeptical - that seems like it would create more problems than it solves.

[aPoCoMiLogin]

i only want the score to represent real threat, not what features it includes, as that is meaningless in the long run. i agree that it shouldn't include "i think is bad" as that is meaningless as well, the score should represent the threat, not the features.

because i'm checking dependabot [0][1] regularly, there is a lot of issues with very high scores for frontend libraries, that have really low impact, because it "checks" some features. eg some plugin for jquery (frontend lib) [2] that has the same score as heartbleed, which is insane and shows how useless the score is in current form.

- https://docs.github.com/en/code-security/dependabot/dependab...

- https://github.com/advisories?query=type%3Areviewed

- https://github.com/advisories/GHSA-ffmh-x56j-9rc3