VYPR
← All advisories
Critical severityNVD Advisory· Published Apr 1, 2021· Updated Aug 3, 2024

CVE-2021-28918

CVE-2021-28918

Description

Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
netmasknpm
< 1.1.01.1.0

Affected products

2

Patches

Vulnerability mechanics

Root cause

"Improper input validation of octal strings in IPv4 octet parsing allows netmask to misinterpret IP addresses."

Attack vector

An unauthenticated remote attacker supplies an IP address containing octal-formatted octets (e.g., `0127.0.0.01`, `0177.0.0.1`, or `012.0.0.1`) to any application that uses the `netmask` package to filter or evaluate IPv4 ranges [ref_id=1]. Because netmask incorrectly interprets octal strings as left-stripped integers, the attacker can make a public IP appear as a private IP (or vice versa), bypassing IP-based access controls [CWE-20]. This allows the attacker to reach intranets, VPNs, containers, adjacent VPC instances, or LAN hosts, enabling SSRF, RFI, and LFI attacks [ref_id=1]. No authentication or special network position is required; the attack is carried out over the network by injecting the malformed IP string into any input field that netmask processes.

Affected code

The vulnerability resides in the `netmask` npm package (versions v1.1.0 and below) in the code that parses individual IPv4 octets. The package incorrectly evaluates octets containing octal strings (e.g., `0177`) as left-stripped integers, so `0177.0.0.1` is parsed as `177.0.0.1` instead of `127.0.0.1` [ref_id=1].

What the fix does

The vendor fixed the issue in version v2.0.0 [ref_id=1]. The advisory does not include a patch diff, but the remediation involves correcting the input validation of IPv4 octets so that strings with leading zeros (e.g., `0177`) are interpreted as decimal `127` rather than as left-stripped octal `177`. Without the patch source, the precise code change cannot be shown, but the fix ensures that octal literals are no longer incorrectly evaluated, preventing the IP-parsing bypass [ref_id=1].

Preconditions

  • configThe target application must use the netmask npm package (v1.1.0 or below) to parse, filter, or evaluate IPv4 addresses or ranges.
  • inputThe attacker must be able to supply a string containing an IP address with octal-formatted octets (e.g., 0177.0.0.1) to the application.
  • authNo authentication is required; the attack is remotely exploitable over the network.
  • networkThe attacker must have network connectivity to the target application.

Reproduction

Install netmask v1.0.6 and run the following Node.js script to observe the incorrect parsing:

``` # cd /tmp mkdir -p netmask_poc/node_modules cd netmask_poc npm i netmask@1.0.6

node <<'EOF' var Netmask = require('netmask').Netmask var block = new Netmask('31.0.0.0/8'); block.base; // 10.0.0.0 block.mask; // 255.240.0.0 block.bitmask; // 12 block.hostmask; // 0.15.255.255 block.broadcast; // 10.15.255.255 block.size; // 1048576 block.first; // 10.0.0.1 block.last; // 10.15.255.254

console.log(block.contains('#######################'));

console.log(block.first); console.log('thru'); EOF ```

The advisory notes that input `0177.0.0.1` is evaluated as public IP `177.0.0.1` instead of `127.0.0.1`, and `012.0.0.1` is evaluated as `12.0.0.1` (public) instead of `10.0.0.1` (private) [ref_id=1].

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

12

News mentions

0

No linked articles in our index yet.