Vulnerability in 'netmask' npm Package Affects 280,000 Projects

A vulnerability in the netmask npm package could expose private networks and lead to a variety of attacks, including malware delivery.


The newly identified issue (which is tracked as CVE-2021-28918) resides in the fact that the package would incorrectly read octal encoding, essentially resulting in the misinterpretation of supplied IP addresses.


Designed to parse IPv4 CIDR blocks to allow for their comparison and exploration, netmask is highly popular, registering millions of weekly downloads. At the moment, it is used by more than 278,000 other projects.


Because of this bug, netmask would consider private IP addresses as external IP addresses and the other way around, thus opening the door to a wide range of attacks, depending on the manner in which the package is used.


Some of the possible attacks include server-side request forgery, remote file inclusion, and local file inclusion, among others, a security researcher going by the name of Sick Codes explains.


Working together with application developer and researcher Victor Viale, Sick Codes discovered that netmask is incorrectly evaluating the first octet in an IP address that starts with 0, which is in octal format, and reads it as a true decimal value.


A remote, unauthenticated attacker could leverage the vulnerability to trick an application using the flawed package into fetching malicious code from an external IP address as if it was supplied from within the local network.


“A remote authenticated or unauthenticated attacker can bypass packages that rely on netmask to filter IP address blocks to reach in ..

Support the originator by clicking the read the rest link below.