CVE-2021-28918
published 2021-04-01CVE-2021-28918: Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI…
PriorityP277critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EXPLOIT
EPSS
16.36%
96.6th percentile
Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| netmask_project | netmask | < 2.0.1 | 2.0.1 |
| netmask_project | netmask | <= 1.0.6 | — |
| netmask_project | netmask | >= 0 < 1.1.0 | 1.1.0 |
| netmask_project | netmask | >= 0 < 2.0.1 | 2.0.1 |
Detection & IOCsextracted from sources · hover to see the quote
url{{BaseURL}}/?url=http://0177.0.0.1/server-status
url{{BaseURL}}/?host=http://0177.0.0.1/server-status
url{{BaseURL}}/?file=http://0177.0.0.1/etc/passwd
ip0177.0.0.1
- →Probe for SSRF exploitation by sending octal-encoded IP address `0177.0.0.1` (octal for 127.0.0.1) in common URL/host/file query parameters; a successful bypass will return Apache Server Status page content or /etc/passwd contents.
- →Match HTTP response body for 'Apache Server Status' AND 'Server Version' together, or match regex `root:.*:0:0:` to confirm successful SSRF/LFI exploitation via the netmask octal bypass.
- →The vulnerability abuses octal string parsing: the attacker supplies an octal-encoded IP (e.g. 0177.0.0.1 = 127.0.0.1) to bypass IP allowlist/blocklist checks in packages relying on netmask ≤1.0.6. ↗
- →Monitor inbound HTTP requests where query parameters (url=, host=, file=, etc.) contain octal-formatted IP addresses (leading zero followed by digits, e.g. 0177, 0127, 0x-style octets) targeting internal/loopback ranges. ↗
- ·The Nuclei template uses `stop-at-first-match: true` with three probe paths; detection fires on the first matching response, so not all three paths will necessarily be tested in a single scan run.
- ·The matchers use an OR condition between the Apache Server Status word-match and the passwd regex — a positive result from either alone is treated as confirmed exploitation, which may produce false positives in environments that legitimately expose these strings.
- ·Impact severity is highly environment-dependent; Red Hat downgraded the severity for RHACM to 'low' because the affected library is used only in development/build processes there. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
ghsa9.1CRITICAL
osv9.1CRITICAL
vendor_redhat9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Improper parsing of octal bytes in netmask
osv·2021-04-14·CVSS 5.3
CVE-2021-28918 [MEDIUM] Improper parsing of octal bytes in netmask
Improper parsing of octal bytes in netmask
Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts.
:exclamation: NOTE: The fix for this issue was incomplete. A subsequent fix was made in version `2.0.1` which was assigned [CVE-2021-29418 / GHSA-pch5-whg9-qr2r](https://github.com/advisories/GHSA-pch5-whg9-qr2r). For complete protection from this vulnerability an upgrade to version 2.0.1 or later is recommended.
GHSA
Improper parsing of octal bytes in netmask
ghsa·2021-04-14·CVSS 5.3
CVE-2021-28918 [MEDIUM] CWE-20 Improper parsing of octal bytes in netmask
Improper parsing of octal bytes in netmask
Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts.
:exclamation: NOTE: The fix for this issue was incomplete. A subsequent fix was made in version `2.0.1` which was assigned [CVE-2021-29418 / GHSA-pch5-whg9-qr2r](https://github.com/advisories/GHSA-pch5-whg9-qr2r). For complete protection from this vulnerability an upgrade to version 2.0.1 or later is recommended.
OSV
netmask npm package mishandles octal input data
osv·2021-03-29·CVSS 9.1
CVE-2021-29418 [CRITICAL] netmask npm package mishandles octal input data
netmask npm package mishandles octal input data
The netmask package before 2.0.1 for Node.js mishandles certain unexpected characters in an IP address string, such as an octal digit of 9. This (in some situations) allows attackers to bypass access control that is based on IP addresses. NOTE: this issue exists because of an incomplete fix for CVE-2021-28918.
GHSA
netmask npm package mishandles octal input data
ghsa·2021-03-29·CVSS 9.1
CVE-2021-29418 [CRITICAL] CWE-20 netmask npm package mishandles octal input data
netmask npm package mishandles octal input data
The netmask package before 2.0.1 for Node.js mishandles certain unexpected characters in an IP address string, such as an octal digit of 9. This (in some situations) allows attackers to bypass access control that is based on IP addresses. NOTE: this issue exists because of an incomplete fix for CVE-2021-28918.
Red Hat
nodejs-netmask: incorrectly parses an IP address that has octal integer with invalid character
vendor_redhat·2021-03-29·CVSS 9.1
CVE-2021-29418 [CRITICAL] CWE-20 nodejs-netmask: incorrectly parses an IP address that has octal integer with invalid character
nodejs-netmask: incorrectly parses an IP address that has octal integer with invalid character
The netmask package before 2.0.1 for Node.js mishandles certain unexpected characters in an IP address string, such as an octal digit of 9. This (in some situations) allows attackers to bypass access control that is based on IP addresses. NOTE: this issue exists because of an incomplete fix for CVE-2021-28918.
Statement: The impact of this flaw largely depends on the environment where the affected library is being used. This flaw could be used to redirect an adversary to an exposed, unprotected endpoint. Depending on the functionality of the affected endpoint that could result in a loss of confidentiality, integrity and availability. The affected library is used in Red Hat Advanced Cluster Mana
Red Hat
nodejs-netmask: improper input validation of octal input data
vendor_redhat·2021-03-29·CVSS 9.1
CVE-2021-28918 [CRITICAL] CWE-20 nodejs-netmask: improper input validation of octal input data
nodejs-netmask: improper input validation of octal input data
Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts.
A flaw was found in nodejs-netmask. Octal input data may lead to a server-side request forgery, remote file inclusion, local file inclusion, and other vulnerabilities. The highest threat from this vulnerability is to data integrity.
Statement: The impact of this flaw largely depends on the environment where the affected library is being used. This flaw could be used to redirect an adversary to an e
No detection rules found.
Nuclei
Netmask NPM Package - Server-Side Request Forgery
nuclei·CVSS 9.1
CVE-2021-28918 [CRITICAL] Netmask NPM Package - Server-Side Request Forgery
Netmask NPM Package - Server-Side Request Forgery
Netmask NPM Package is susceptible to server-side request forgery because of improper input validation of octal strings in netmask npm package. This allows unauthenticated remote attackers to perform indeterminate SSRF, remote file inclusion, and local file inclusion attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts.
Template:
id: CVE-2021-28918
info:
name: Netmask NPM Package - Server-Side Request Forgery
author: johnjhacking
severity: critical
description: Netmask NPM Package is susceptible to server-side request forgery because of improper input validation of octal strings in netmask npm package. This allows unauthentic
https://github.com/advisories/GHSA-pch5-whg9-qr2rhttps://github.com/rs/node-netmaskhttps://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.mdhttps://rootdaemon.com/2021/03/29/vulnerability-in-netmask-npm-package-affects-280000-projects/https://security.netapp.com/advisory/ntap-20210528-0010/https://www.bleepingcomputer.com/news/security/critical-netmask-networking-bug-impacts-thousands-of-applications/https://www.npmjs.com/package/netmaskhttps://github.com/advisories/GHSA-pch5-whg9-qr2rhttps://github.com/rs/node-netmaskhttps://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.mdhttps://rootdaemon.com/2021/03/29/vulnerability-in-netmask-npm-package-affects-280000-projects/https://security.netapp.com/advisory/ntap-20210528-0010/https://www.bleepingcomputer.com/news/security/critical-netmask-networking-bug-impacts-thousands-of-applications/https://www.npmjs.com/package/netmask
2021-04-01
Published