Popular npm library netmask has a critical networking vulnerability.
CVE-2021-28918 – The netmask npm package – Improper Input Validation in netmask npm package v1.1.0 and below of octal literals results in indeterminate SSRF & RFI vulnerabilities.
Netmask is frequently used by hundreds of thousands of applications to parse IPv4 addresses and CIDR blocks or compare them. The component gets over 3 million weekly downloads, over 238 million total downloads over its lifetime. Further, about 278,000 GitHub repositories depend on netmask. The bug present in the library means when parsing an IP address with a leading zero, netmask sees a different IP due to improper validations in place. The vulnerability, tracked as CVE-2021-28918, concerns how netmask handles mixed-format IP addresses, or more specifically when a decimal IPv4 address contains a leading zero. An IP address can be represented in a variety of formats, including hexadecimal and integer, although most commonly seen IPv4 addresses are expressed in decimal format. Should an attacker be able to influence the IP address input being parsed by the application, the bug can give rise to various vulnerabilities, from Server-Side Request Forgery (SSRF) bypasses to Remote File Inclusion (RFI). This newly discovered issue in netmask leaves thousands of projects vulnerable to the SSRF bypass.
Server-Side Request Forgery
NetMask v1.1.0 and below
The fix for CVE-2021-28918 has been released in version 2.0.0 of netmask on npm downloads.