A critical vulnerability has been found in the popular npm library netmask (CVE-2021-28918). The problem concerns how netmask handles mixed-format IP addresses. When parsing an IP address with a leading zero, node-netmask sees a different IP address due to improper validations in place.

At first glance this bug may seem like no big deal but should an attacker be able to influence the IP address input being parsed by the application, the bug can give rise to various vulnerabilities, from Server-Side Request Forgery (SSRF) to remote access.

Researchers have reported the vulnerability to node-netmask developer Olivier Poitrey, who has posted a series of fixes for this issue on the GitHub repository. Users of the netmask npm library are advised to upgrade to version 2.0.0.

Source: securitylab.ru