Security Experts:

Connect with us

Hi, what are you looking for?



Vulnerability in ‘netmask’ npm Package Affects 280,000 Projects

A vulnerability in the netmask npm package could expose private networks and lead to a variety of attacks, including malware delivery.

A vulnerability in the netmask npm package could expose private networks and lead to a variety of attacks, including malware delivery.

The newly identified issue (which is tracked as CVE-2021-28918) resides in the fact that the package would incorrectly read octal encoding, essentially resulting in the misinterpretation of supplied IP addresses.

Designed to parse IPv4 CIDR blocks to allow for their comparison and exploration, netmask is highly popular, registering millions of weekly downloads. At the moment, it is used by more than 278,000 other projects.

Because of this bug, netmask would consider private IP addresses as external IP addresses and the other way around, thus opening the door to a wide range of attacks, depending on the manner in which the package is used.

Some of the possible attacks include server-side request forgery, remote file inclusion, and local file inclusion, among others, a security researcher going by the name of Sick Codes explains.

Working together with application developer and researcher Victor Viale, Sick Codes discovered that netmask is incorrectly evaluating the first octet in an IP address that starts with 0, which is in octal format, and reads it as a true decimal value.

A remote, unauthenticated attacker could leverage the vulnerability to trick an application using the flawed package into fetching malicious code from an external IP address as if it was supplied from within the local network.

“A remote authenticated or unauthenticated attacker can bypass packages that rely on netmask to filter IP address blocks to reach intranets, VPNs, containers, adjacent VPC instances, or LAN hosts using input data such as (, which netmask evaluates as (public),” Sick Codes explains.

Even if the browser would recognize octal strings, if a nodejs application does not, attacks are possible, allowing users to users can submit malicious URLs that seem internal, yet which in reality lead to remote files. 

“You don’t need a special IP address to do this though, you can simply submit a public URL and get local files back. There’s literally so many vulnerabilities caused by this that it will make your head spin,” the researcher adds.

The netmask package, which is maintained by Marcus Dunn, director of engineering at Netflix, was patched within days after the vulnerability was responsibly reported.

The fix covered the manner in which netmask interprets base-8 integers, base-16 integers, and hexadecimal input, as well as the situations where white-spaces are used. All other packages and APIs that leverage netmask need to be updated to address the potential exposure to attacks.

Related: Software Dependencies Exposed Microsoft, Apple to High-Impact Attacks

Related: GitHub Says Vulnerabilities in Some Ecosystems Take Years to Fix

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...