Security News > 2021 > March > Vulnerability in 'netmask' npm Package Affects 280,000 Projects
A vulnerability in the netmask npm package could expose private networks and lead to a variety of attacks, including malware delivery.
Because of this bug, netmask would consider private IP addresses as external IP addresses and the other way around, thus opening the door to a wide range of attacks, depending on the manner in which the package is used.
Working together with application developer and researcher Victor Viale, Sick Codes discovered that netmask is incorrectly evaluating the first octet in an IP address that starts with 0, which is in octal format, and reads it as a true decimal value.
A remote, unauthenticated attacker could leverage the vulnerability to trick an application using the flawed package into fetching malicious code from an external IP address as if it was supplied from within the local network.
"A remote authenticated or unauthenticated attacker can bypass packages that rely on netmask to filter IP address blocks to reach intranets, VPNs, containers, adjacent VPC instances, or LAN hosts using input data such as 012.0.0.1, which netmask evaluates as 12.0.0.1," Sick Codes explains.
The netmask package, which is maintained by Marcus Dunn, director of engineering at Netflix, was patched within days after the vulnerability was responsibly reported.