Security News > 2021 > March > Critical netmask networking bug impacts thousands of applications
Popular npm library netmask has a critical networking vulnerability.
Netmask is frequently used by hundreds of thousands of applications to parse IPv4 addresses and CIDR blocks or compare them.
The bug present in the library means when parsing an IP address with a leading zero, netmask sees a different IP due to improper validations in place.
Ultimately, Jackson says, this newly discovered issue in netmask leaves thousands of projects vulnerable to the SSRF bypass.
Following the researchers' responsible reporting of the vulnerability, netmask developer and director of engineering at Netflix, Olivier Poitrey pushed out a series of fixes [1, 2, 3] for the bug to GitHub, along with test cases validating that IPv4 octets with 0-prefixes are treated as octal and not decimal numbers.
Developers using the Perl components Netmask and some others are advised to ensure their applications sanitize and normalize IP addresses prior to passing these as inputs to such components, or preferably upgrade to the fixed version wherever applicable.