PT-2026-37304 · Npm · Link-Preview-Js
Andrew-Most-Likely
·
Published
2026-05-05
·
Updated
2026-05-11
·
CVE-2026-43897
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Link Preview JS versions prior to 4.0.1
Description
The library fails to check for IPv6 loopback attacks and is susceptible to DNS attacks where an address can be resolved into an internal IP. These issues may lead to internal data leaks.
Recommendations
Update to version 4.0.1.
Use the
resolveDNSHost option to perform DNS resolution before fetching content.
Perform manual validation before fetching content as a temporary workaround.Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Link-Preview-Js