Security News > 2021 > March > Sitting comfortably? Then it's probably time to patch, as critical flaw uncovered in npm's netmask package
The widely used npm library netmask has a networking vulnerability arising from how it parses IP addresses with a leading zero, leaving an estimated 278,000 projects at risk.
Researchers Victor Viale, Sick Codes, Kelly Kaoudis, John Jackson, and Nick Sahler have disclosed a digital nasty, tracked as CVE-2021-28918, in the hugely widespread netmask npm package.
Unless one is using netmask, in which case the leading zero is simply stripped off and 0127 becomes 127, an address that, via netmask, looks like a private IP could be submitted, but is actually a public address.
As for the vulnerability of those hundreds of thousands of projects, it depends on how netmask is being used.
"Ax Sharma, security researcher at Sonatype, said such users"may not realise that they could be potentially vulnerable to anti-Server-Side Request Forgery bypasses or remote file inclusion should they be purely relying on netmask for parsing IP addresses, without adding their own proper input sanitisation and normalisation checks.
"This highlights the need for proper input hygiene and never trusting input no matter the source. In this case, for example, the fixes... applied to netmask now take into account that IP addresses can also be provided in octal or hexadecimal formats, something users of netmask could also have implemented on their end as an extra precaution."
News URL
https://go.theregister.com/feed/www.theregister.com/2021/03/29/netmask_cve/
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-04-01 | CVE-2021-28918 | Incorrect Type Conversion or Cast vulnerability in Netmask Project Netmask Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. | 9.1 |