Sitting comfortably? Then it's probably time to patch, as critical flaw uncovered in npm's netmask package

Sitting comfortably? Then it's probably time to patch, as critical flaw uncovered in npm's netmask package

The widely used npm library netmask has a networking vulnerability arising from how it parses IP addresses with a leading zero, leaving an estimated 278 million projects at risk.


Researchers Victor Viale, Sick Codes, Kelly Kaoudis, John Jackson, and Nick Sahler have disclosed a digital nasty, tracked as CVE-2021-28918, in the hugely widespread netmask npm package.

It's a handy bit of code used for parsing and comparing IP addresses, and the flaw lies in how it handles mixed-format IP addresses. Namely, what it does when there is a leading zero.


As an example, the IPv4 address 127.0.0.1 is localhost. However, pop 0127.0.0.1 into a browser and that 0127 gets treated as octal and changed to its decimal equivalent, which is 87. Thus 0127.0.0.1 is actually 87.0.0.1.

Unless one is using netmask, in which case ..

Support the originator by clicking the read the rest link below.