Hundreds of thousands of projects affected by a flaw in netmask npm package

Pierluigi Paganini March 30, 2021

A vulnerability in the netmask npm package, tracked as CVE-2021-28918, could be exploited by attackers to conduct a variety of attacks.

A vulnerability in the netmask npm package, tracked as CVE-2021-28918, could expose private networks to multiple attacks. The flaw is caused by the improper input validation of octal strings in netmask npm package, it affects v1.1.0.

“Improper input validation of octal strings in widely used netmask npm package v1.1.0 and below allows unautenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages.” reads the description of the flaw. “The netmask npm package incorrectly evaluates individual ipv4 octets that contain octal strings as left-stripped integers, leading to an inordinate attack surface on hundreds of thousands of projects that rely on netmask to filter or evaluate ipv4 block ranges, both inbound and outbound.”

The Netmask class was developed to parse and understand IPv4 CIDR blocks, it can be explored and compared. This module is highly inspired by Perl Net::Netmask module. The package registers millions of weekly downloads and is currently used by more than 278,000 projects.

The CVE-2021-28918 flaw resides in the fact that the netmask would incorrectly read octal encoding failing to recognize IP addresses and distinguish IP addresses from external IP addresses, leading to a wide range of attacks.

Server-side request forgery, local and remote file inclusion, are just some of the attacks that could be conducted by attackers.

“For example, a remote unauthenticated attacker can request local resources using input data 0177.0.0.1 (, which netmask evaluates as public IP” wrote the security researcher that goes online with the name of Sick Codes. “Contrastingly, a remote authenticated or unauthenticated attacker can input the data 0127.0.0.01 ( as localhost, yet the input data is a public IP and potentially cause local and remote file inclusion (LFI/RFI). A remote authenticated or unauthenticated attacker can bypass packages that rely on netmask to filter IP address blocks to reach intranets, VPNs, containers, adjacent VPC instances, or LAN hosts using input data such as (, which netmask evaluates as (public).”

Sick Codes, along with the researchers Victor Viale, Kelly Kaoudis, John Jackson, and Nick Sahler, noticed that the netmask misinterpreted the first octet in an IP address that starts with 0, which is in octal format, and evaluate it as a pure decimal value.

“Similarly, (AT&T Services) looks public to netmask, but it is really a one-way ticket into your private network! Catastrophic, to say the least.” wrote the experts.

“You don’t need a special IP address to do this though, you can simply submit a public URL and get local files back. There’s literally so many vulnerabilities cause by this that it will make your head spin.”

Below the disclosure timeline:

  • 2021-03-16 – Researchers discover vulnerability
  • 2021-03-17 – Vendor notified
  • 2021-03-17 – CVE requested
  • 2021-03-19 – CVE assigned CVE-2021-28918
  • 2021-03-28 – Vulnerability published

All other packages and projects that use netmask need to be updated.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, netmask npm package)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment