Description
Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts.
Remediation
References
https://github.com/advisories/GHSA-pch5-whg9-qr2r
https://github.com/rs/node-netmask
https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md
https://rootdaemon.com/2021/03/29/vulnerability-in-netmask-npm-package-affects-280000-projects/
https://security.netapp.com/advisory/ntap-20210528-0010/
https://www.bleepingcomputer.com/news/security/critical-netmask-networking-bug-impacts-thousands-of-applications/
https://www.npmjs.com/package/netmask
Related Vulnerabilities
CVE-2019-1003030 Vulnerability in maven package org.jenkins-ci.plugins.workflow:workflow-cps
CVE-2018-20677 Vulnerability in npm package bootstrap
CVE-2021-41249 Vulnerability in npm package graphql-playground-react
CVE-2016-10518 Vulnerability in npm package ws
CVE-2021-41303 Vulnerability in maven package org.apache.shiro:shiro-core