GoranStimac.com

How Can I Help


Let's Connect

A vulnerability in the netmask npm package, tracked as CVE-2021-28918

Maintained projects that rely on this npm package are updated or will be as soon as there is an update.

A vulnerability in the netmask npm package, tracked as CVE-2021-28918, could be exploited by attackers to conduct a variety of attacks.

The Netmask class was developed to parse and understand IPv4 CIDR blocks, it can be explored and compared. This module is highly inspired by Perl Net::Netmask module. The package registers millions of weekly downloads and is currently used by more than 278,000 projects.

The CVE-2021-28918 flaw resides in the fact that the netmask would incorrectly read octal encoding failing to recognize IP addresses and distinguish IP addresses from external IP addresses, leading to a wide range of attacks.

Server-side request forgery, local and remote file inclusion, are just some of the attacks that could be conducted by attackers.

Below the disclosure timeline:

  • 2021-03-16 – Researchers discover vulnerability
  • 2021-03-17 – Vendor notified
  • 2021-03-17 – CVE requested
  • 2021-03-19 – CVE assigned CVE-2021-28918
  • 2021-03-28 – Vulnerability published

All other packages and projects that use netmask need to be updated.

Share:

Looking for an IT professional?

Schedule a Consultation