Connect with us

Hi, what are you looking for?



Vulnerability in ‘netmask’ npm Package Affects 280,000 Projects

A vulnerability in the netmask npm package could expose private networks and lead to a variety of attacks, including malware delivery.

A vulnerability in the netmask npm package could expose private networks and lead to a variety of attacks, including malware delivery.

The newly identified issue (which is tracked as CVE-2021-28918) resides in the fact that the package would incorrectly read octal encoding, essentially resulting in the misinterpretation of supplied IP addresses.

Designed to parse IPv4 CIDR blocks to allow for their comparison and exploration, netmask is highly popular, registering millions of weekly downloads. At the moment, it is used by more than 278,000 other projects.

Because of this bug, netmask would consider private IP addresses as external IP addresses and the other way around, thus opening the door to a wide range of attacks, depending on the manner in which the package is used.

Some of the possible attacks include server-side request forgery, remote file inclusion, and local file inclusion, among others, a security researcher going by the name of Sick Codes explains.

Working together with application developer and researcher Victor Viale, Sick Codes discovered that netmask is incorrectly evaluating the first octet in an IP address that starts with 0, which is in octal format, and reads it as a true decimal value.

A remote, unauthenticated attacker could leverage the vulnerability to trick an application using the flawed package into fetching malicious code from an external IP address as if it was supplied from within the local network.

“A remote authenticated or unauthenticated attacker can bypass packages that rely on netmask to filter IP address blocks to reach intranets, VPNs, containers, adjacent VPC instances, or LAN hosts using input data such as (, which netmask evaluates as (public),” Sick Codes explains.

Advertisement. Scroll to continue reading.

Even if the browser would recognize octal strings, if a nodejs application does not, attacks are possible, allowing users to users can submit malicious URLs that seem internal, yet which in reality lead to remote files. 

“You don’t need a special IP address to do this though, you can simply submit a public URL and get local files back. There’s literally so many vulnerabilities caused by this that it will make your head spin,” the researcher adds.

The netmask package, which is maintained by Marcus Dunn, director of engineering at Netflix, was patched within days after the vulnerability was responsibly reported.

The fix covered the manner in which netmask interprets base-8 integers, base-16 integers, and hexadecimal input, as well as the situations where white-spaces are used. All other packages and APIs that leverage netmask need to be updated to address the potential exposure to attacks.

Related: Software Dependencies Exposed Microsoft, Apple to High-Impact Attacks

Related: GitHub Says Vulnerabilities in Some Ecosystems Take Years to Fix

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.