Npm · Netmask · CVE-2021-28918
Name of the Vulnerable Software and Affected Versions:
netmask npm package versions 1.0.6 and below
netmask npm package versions 2.0.0
Description:
The issue is related to improper input validation of octal strings in the netmask npm package, allowing unauthenticated remote attackers to perform server-side request forgery (SSRF), remote file inclusion (RFI), and local file inclusion (LFI) attacks. This vulnerability can be exploited to bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts. The netmask package is used by over 270,000 projects and has around 3 million downloads per week.
Recommendations:
For netmask npm package versions 1.0.6 and below: Upgrade to version 2.0.1 or later to ensure complete protection from this vulnerability.
For netmask npm package version 2.0.0: Upgrade to version 2.0.1 or later, as the initial fix in version 2.0.0 was incomplete.