Moderate severityNVD Advisory· Published Mar 30, 2021· Updated Aug 3, 2024
CVE-2021-29418
CVE-2021-29418
Description
The netmask package before 2.0.1 for Node.js mishandles certain unexpected characters in an IP address string, such as an octal digit of 9. This (in some situations) allows attackers to bypass access control that is based on IP addresses. NOTE: this issue exists because of an incomplete fix for CVE-2021-28918.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
netmasknpm | < 2.0.1 | 2.0.1 |
Affected products
2- Node.js/netmaskdescription
Patches
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-pch5-whg9-qr2rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-29418ghsaADVISORY
- github.com/rs/node-netmask/commit/3f19a056c4eb808ea4a29f234274c67bc5a848f4ghsax_refsource_MISCWEB
- security.netapp.com/advisory/ntap-20210604-0001ghsaWEB
- security.netapp.com/advisory/ntap-20210604-0001/mitrex_refsource_CONFIRM
- sick.codes/sick-2021-011ghsaWEB
- sick.codes/universal-netmask-npm-package-used-by-270000-projects-vulnerable-to-octal-input-data-server-side-request-forgery-remote-file-inclusion-local-file-inclusion-and-more-cve-2021-28918ghsaWEB
- vuln.ryotak.me/advisories/6ghsax_refsource_MISCWEB
- www.npmjs.com/package/netmaskghsaWEB
News mentions
0No linked articles in our index yet.