Hardcoding IP addresses is security-sensitive. It has led in the past to the following vulnerabilities:
Today's services have an ever-changing architecture due to their scaling and redundancy needs. It is a mistake to think that a service will always have the same IP address. When it does change, the hardcoded IP will have to be modified too. This will have an impact on the product development, delivery, and deployment:
Last but not least it has an effect on application security. Attackers might be able to decompile the code and thereby discover a potentially sensitive address. They can perform a Denial of Service attack on the service, try to get access to the system, or try to spoof the IP address to bypass security checks. Such attacks can always be possible, but in the case of a hardcoded IP address solving the issue will take more time, which will increase an attack's impact.
The disclosed IP address is sensitive, e.g.:
There is a risk if you answered yes to any of these questions.
Don't hard-code the IP address in the source code, instead make it configurable with environment variables, configuration files, or a similar approach. Alternatively, if confidentially is not required a domain name can be used since it allows to change the destination quickly without having to rebuild the software.
String ip = "192.168.12.42"; // Sensitive Socket socket = new Socket(ip, 6667);
String ip = System.getenv("IP_ADDRESS"); // Compliant Socket socket = new Socket(ip, 6667);
No issue is reported for the following cases because they are not considered sensitive:
2.5.<number>.<number>
as they often match
Object Identifiers (OID).