refactor: replace express-ipfilter with lightweight custom middleware

This fixes security issue CVE-2023-42282, which is not very likely
to be exploitable in MagicMirror² setups, but still should be fixed.

The `express-ipfilter` package depends on the unmaintained `ip`
package, which has known security vulnerabilities. Since no fix
is available, this commit replaces both dependencies with a custom
middleware using the better maintained `ipaddr.js` library.

Changes:
- Add new `js/ip_access_control.js` with lightweight middleware
- Remove `express-ipfilter` dependency, add `ipaddr.js`
- Update `js/server.js` to use new middleware

Author: KristjanESPERANTO

CHANGELOG.md

@@ -21,6 +21,7 @@ planned for 2026-01-01
 
 - feat: add ESlint rule `no-sparse-arrays` for config check to fix #3910 (#3911)
 - fixed eslint warnings shown in #3911 and updated npm publish docs (#3913)
+- [core] refactor: replace `express-ipfilter` with lightweight custom middleware (#3917) - This fixes security issue [CVE-2023-42282](https://github.com/advisories/GHSA-78xj-cgh5-2h22), which is not very likely to be exploitable in MagicMirror² setups, but still should be fixed.
 
 ### Updated
 

js/ip_access_control.js

@@ -0,0 +1,63 @@
+const ipaddr = require("ipaddr.js");
+const Log = require("logger");
+
+/**
+ * Checks if a client IP matches any entry in the whitelist
+ * @param {string} clientIp - The IP address to check
+ * @param {string[]} whitelist - Array of IP addresses or CIDR ranges
+ * @returns {boolean} True if IP is allowed
+ */
+function isAllowed (clientIp, whitelist) {
+	try {
+		const addr = ipaddr.process(clientIp);
+
+		return whitelist.some((entry) => {
+			try {
+				// CIDR notation
+				if (entry.includes("/")) {
+					const [rangeAddr, prefixLen] = ipaddr.parseCIDR(entry);
+					return addr.match(rangeAddr, prefixLen);
+				}
+
+				// Single IP address - let ipaddr.process normalize both
+				const allowedAddr = ipaddr.process(entry);
+				return addr.toString() === allowedAddr.toString();
+			} catch (err) {
+				Log.warn(`Invalid whitelist entry: ${entry}`);
+				return false;
+			}
+		});
+	} catch (err) {
+		Log.warn(`Failed to parse client IP: ${clientIp}`);
+		return false;
+	}
+}
+
+/**
+ * Creates an Express middleware for IP whitelisting
+ * @param {string[]} whitelist - Array of allowed IP addresses or CIDR ranges
+ * @returns {import("express").RequestHandler} Express middleware function
+ */
+function ipAccessControl (whitelist) {
+	// Empty whitelist means allow all
+	if (!Array.isArray(whitelist) || whitelist.length === 0) {
+		return function (req, res, next) {
+			res.header("Access-Control-Allow-Origin", "*");
+			next();
+		};
+	}
+
+	return function (req, res, next) {
+		const clientIp = req.ip || req.socket.remoteAddress;
+
+		if (isAllowed(clientIp, whitelist)) {
+			res.header("Access-Control-Allow-Origin", "*");
+			next();
+		} else {
+			Log.log(`IP ${clientIp} is not allowed to access the mirror`);
+			res.status(403).send("This device is not allowed to access your mirror. <br> Please check your config.js or config.js.sample to change this.");
+		}
+	};
+}
+
+module.exports = { ipAccessControl };

js/server.js

@@ -3,12 +3,13 @@ const http = require("node:http");
 const https = require("node:https");
 const path = require("node:path");
 const express = require("express");
-const ipfilter = require("express-ipfilter").IpFilter;
 const helmet = require("helmet");
 const socketio = require("socket.io");
 const Log = require("logger");
 const { cors, getConfig, getHtml, getVersion, getStartup, getEnvVars } = require("#server_functions");
 
+const { ipAccessControl } = require(`${__dirname}/ip_access_control`);
+
 const vendor = require(`${__dirname}/vendor`);
 
 /**
@@ -84,17 +85,7 @@ function Server (config) {
 				Log.warn("You're using a full whitelist configuration to allow for all IPs");
 			}
 
-			app.use(function (req, res, next) {
-				ipfilter(config.ipWhitelist, { mode: config.ipWhitelist.length === 0 ? "deny" : "allow", log: false })(req, res, function (err) {
-					if (err === undefined) {
-						res.header("Access-Control-Allow-Origin", "*");
-						return next();
-					}
-					Log.log(err.message);
-					res.status(403).send("This device is not allowed to access your mirror. <br> Please check your config.js or config.js.sample to change this.");
-				});
-			});
-
+			app.use(ipAccessControl(config.ipWhitelist));
 			app.use(helmet(config.httpHeaders));
 			app.use("/js", express.static(__dirname));