How can I help

Stay informed and learn

Let's connect

A vulnerability in the netmask npm package, tracked as CVE-2021-28918

Maintained projects that rely on this npm package are updated or will be as soon as there is an update.

A vulnerability in the netmask npm package, tracked as CVE-2021-28918, could be exploited by attackers to conduct a variety of attacks.

The Netmask class was developed to parse and understand IPv4 CIDR blocks, it can be explored and compared. This module is highly inspired by Perl Net::Netmask module. The package registers millions of weekly downloads and is currently used by more than 278,000 projects.

The CVE-2021-28918 flaw resides in the fact that the netmask would incorrectly read octal encoding failing to recognize IP addresses and distinguish IP addresses from external IP addresses, leading to a wide range of attacks.

Server-side request forgery, local and remote file inclusion, are just some of the attacks that could be conducted by attackers.

Below the disclosure timeline:

  • 2021-03-16 – Researchers discover vulnerability
  • 2021-03-17 – Vendor notified
  • 2021-03-17 – CVE requested
  • 2021-03-19 – CVE assigned CVE-2021-28918
  • 2021-03-28 – Vulnerability published
Newer post

Node v12.22.0 (LTS) is out - notable changes

Older post

Symfony 4.4.21 and 5.2.6 released

comments powered by Disqus

Looking for an IT professional?

Book a call Email me