A Vulnerability in the Netmask Npm Package, Tracked as CVE-2021-28918

A vulnerability in the netmask npm package, tracked as CVE-2021-28918, could be exploited by attackers to conduct a variety of attacks.

The Netmask class was developed to parse and understand IPv4 CIDR blocks, it can be explored and compared. This module is highly inspired by Perl Net::Netmask module. The package registers millions of weekly downloads and is currently used by more than 278,000 projects.

The CVE-2021-28918 flaw resides in the fact that the netmask would incorrectly read octal encoding failing to recognize IP addresses and distinguish IP addresses from external IP addresses, leading to a wide range of attacks.

Server-side request forgery, local and remote file inclusion, are just some of the attacks that could be conducted by attackers.

Below the disclosure timeline:

  • 2021-03-16 – Researchers discover vulnerability
  • 2021-03-17 – Vendor notified
  • 2021-03-17 – CVE requested
  • 2021-03-19 – CVE assigned CVE-2021-28918
  • 2021-03-28 – Vulnerability published

Related Posts