A vulnerability in the netmask npm package, tracked as CVE-2021-28918, could be exploited by attackers to conduct a variety of attacks.
The Netmask class was developed to parse and understand IPv4 CIDR blocks, it can be explored and compared. This module is highly inspired by Perl Net::Netmask module. The package registers millions of weekly downloads and is currently used by more than 278,000 projects.
The CVE-2021-28918 flaw resides in the fact that the netmask would incorrectly read octal encoding failing to recognize IP addresses and distinguish IP addresses from external IP addresses, leading to a wide range of attacks.
Server-side request forgery, local and remote file inclusion, are just some of the attacks that could be conducted by attackers.
Below the disclosure timeline:
- 2021-03-16 – Researchers discover vulnerability
- 2021-03-17 – Vendor notified
- 2021-03-17 – CVE requested
- 2021-03-19 – CVE assigned CVE-2021-28918
- 2021-03-28 – Vulnerability published