Security researchers at Sick Codes have discovered a flaw in the networking npm library netmask that can allow hackers to fool servers’ access controls and launch server-side request forgery attacks.
According to the researchers, the vulnerability could leave thousands of networks open to attacks, as hundreds of thousands of applications use the npm package to parse and compare IPv4 addresses and Classless Inter-Domain Routing (CIDR) blocks.
In addition, over 278,000 GitHub repositories use the code and were downloaded over 3M times in the last week alone. Researchers said the bug has existed for over nine years.
The problem stems from the way netmask handles mixed-format IP addresses, particularly if they start with a zero. Due to incorrect in-place validation when parsing an IP address with a leading zero, node-netmask sees a different IP address.
An IP address can be represented in various formats, including hexadecimal and integer. When prefixing the IPv4 address with a 0 and pressing Enter, the netmask npm library will strip any leading zeros.
The researchers warned that anyone could submit an address in netmask that looks like a private IP, but it connects to a public IP and can deliver malicious files to the victim’s machine.
“If your browser recognizes octal literals, but a NodeJS application does not, users can submit all kinds of malevolent URLs that seem internal, but really go to remote files. On the other hand, users can ALSO submit URLs that seem public, but they’re actually very private!” the researchers said.
If an attacker can interfere with the IP address input analyzed by the application, they could conduct Server-Side Request Forgery (SSRF), remote access, remote file inclusion, local file inclusion, and more.
Researchers have discretely reported the bug to Olivier Poitrey, the node-netmask developer. He released a series of fixes on GitHub for the issue. Experts recommend all users upgrade to version 2.0.0 as soon as possible.