In the NPM package Node-Netmask , numbering about 3 million downloads per week and used as dependency in more than 270 thousand projects on github, Detected Vulnerability (CVE-2021-28918), which makes it possible to circumvent the checks in which the network mask is used to determine the entry in the address ranges or for filtering. The problem is eliminated in the release of Node-NetMask 2.0.0 .
Vulnerability allows you to achieve an external IP address processing as an address from the internal network and vice versa, and with the Node-Netmask module using the Node-NetMask module in the application to make attacks SSRF (Server-Side Request Forgery), RFI (Remote File Inclusion) and LFI (Local File Inclusion) To access resources in the internal network and inclusion in the chain of external or local files. The problem is that in accordance with specification string values of addresses starting with zero, must be interpreted as octal numbers, but the “Node-NetMask” module does not take into account this feature and processes them as decimal numbers.
For example, the attacker can request a local resource, specifying the value “0177.0.0.1” that corresponds to “127.0.0.1”, but the “Node-NetMask” module will discard zero, and processes 0177.0.0.1 “as” 177.0.0.1 “, that in the application, when evaluating the access rules, it will not be possible to determine the identity with “127.0.0.1”. Similarly, an attacker may indicate the address “0127.0.0.1”, which must be identical to “87.0.0.1”, but
The “Node-NetMask” module will be processed as “127.0.0.1”. Similarly, you can deceive checking the appeal to Intranet addresses, specifying the values of the similar “012.0.0.1” (equivalent “10.0.0.1”, but when checking will be processed as 12.0.0.1).