cbcvebase.
CVE-2021-28918
published 2021-04-01

CVE-2021-28918: Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI…

PriorityP277critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EXPLOIT
EPSS
16.36%
96.6th percentile
Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts.

Affected

4 ranges
VendorProductVersion rangeFixed in
netmask_projectnetmask< 2.0.12.0.1
netmask_projectnetmask<= 1.0.6
netmask_projectnetmask>= 0 < 1.1.01.1.0
netmask_projectnetmask>= 0 < 2.0.12.0.1

Detection & IOCsextracted from sources · hover to see the quote

url{{BaseURL}}/?url=http://0177.0.0.1/server-status
url{{BaseURL}}/?host=http://0177.0.0.1/server-status
url{{BaseURL}}/?file=http://0177.0.0.1/etc/passwd
ip0177.0.0.1
  • Probe for SSRF exploitation by sending octal-encoded IP address `0177.0.0.1` (octal for 127.0.0.1) in common URL/host/file query parameters; a successful bypass will return Apache Server Status page content or /etc/passwd contents.
  • Match HTTP response body for 'Apache Server Status' AND 'Server Version' together, or match regex `root:.*:0:0:` to confirm successful SSRF/LFI exploitation via the netmask octal bypass.
  • The vulnerability abuses octal string parsing: the attacker supplies an octal-encoded IP (e.g. 0177.0.0.1 = 127.0.0.1) to bypass IP allowlist/blocklist checks in packages relying on netmask ≤1.0.6.
  • Monitor inbound HTTP requests where query parameters (url=, host=, file=, etc.) contain octal-formatted IP addresses (leading zero followed by digits, e.g. 0177, 0127, 0x-style octets) targeting internal/loopback ranges.
  • ·The Nuclei template uses `stop-at-first-match: true` with three probe paths; detection fires on the first matching response, so not all three paths will necessarily be tested in a single scan run.
  • ·The matchers use an OR condition between the Apache Server Status word-match and the passwd regex — a positive result from either alone is treated as confirmed exploitation, which may produce false positives in environments that legitimately expose these strings.
  • ·Impact severity is highly environment-dependent; Red Hat downgraded the severity for RHACM to 'low' because the affected library is used only in development/build processes there.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
ghsa9.1CRITICAL
osv9.1CRITICAL
vendor_redhat9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.