Blog post

A Vulnerability in the Netmask Npm Package, Tracked as CVE-2021-28918

A vulnerability in the netmask npm package, tracked as CVE-2021-28918, could be exploited by attackers to conduct a variety of attacks.

The Netmask class was developed to parse and understand IPv4 CIDR blocks, it can be explored and compared. This module is highly inspired by Perl Net::Netmask module. The package registers millions of weekly downloads and is currently used by more than 278,000 projects.

The CVE-2021-28918 flaw resides in the fact that the netmask would incorrectly read octal encoding failing to recognize IP addresses and distinguish IP addresses from external IP addresses, leading to a wide range of attacks.

Server-side request forgery, local and remote file inclusion, are just some of the attacks that could be conducted by attackers.

Below the disclosure timeline:

2021-03-16 — Researchers discover vulnerability
2021-03-17 — Vendor notified
2021-03-17 — CVE requested
2021-03-19 — CVE assigned CVE-2021-28918
2021-03-28 — Vulnerability published

Related What I Do

These What I Do pages are matched from the subject matter of this article, creating a cleaner path from educational content to implementation work.

Based on shared categories first, then the strongest overlap in tags.

A Vulnerability in the Netmask Npm Package, Tracked as CVE-2021-28918

Related What I Do

Related articles

What GitHub Copilot Agent Management Means for Developer Workflow

What Cloudflare Flagship Means for Feature-Flagged AI Products

What Cloudflare Registrar API Beta Means for Builders