A Critical Bug in the npm Netmask Affects Thousands of Programs

On many occasions, problems arise that can compromise the safety of our equipment. It is something that affects all types of operating systems and we must correct. In this article we echo a bug in the netmask , considered critical, which endangers thousands of programs. We are going to explain what this security problem consists of.

Critical npm netmask bug affects thousands of apps

The netmask is frequently used in hundreds of thousands of applications to analyze or compare IPv4 addresses and CIDR blocks. Therefore, if there is some kind of problem, some vulnerability, it could put many users at risk. This component also has millions of weekly downloads.

A Critical Bug in the npm Netmask

The error is present in the npm library and it means that when an IP address with a leading zero is parsed, the netmask sees a different IP due to incorrect validations. This discovery has been by Victor Viale, Sick Codes, Nick Sahler, Kelly Kaoudis, and John Jackson. They have revealed a bug in the popular network mask library.

The vulnerability has been tracked as CVE-2021-28918 . It affects how the netmask handles mixed-format IP addresses, or more specifically when a decimal IPv4 address contains a leading zero.

Note that an IP address can be represented in different formats, including hexadecimal and integer, although the most common IPv4 addresses are expressed in decimal format. Suppose an IP address is received in decimal form,, which is widely understood as the local or localhost loopback address.

The problem is when a 0 appears on the left . In that case, it interprets the IP address as a totally different one. We can try in the browser, with Chrome for example, to put the IP If we put a 0 to the left it interprets it as an IP in octal format and when trying to enter it changes to its equivalent in decimal

In the case of the npm netmask, those leading zeros would just be removed and discarded. According to security researchers, the netmask ignores this. It will always consider the parts as decimals, which means that if we try to validate that an IP belongs to a range, it will be wrong for octal-based IPv4 address representations.

Qué hacer para navegar con seguridad

This issue affects security

Now, how does all this affect security? At first this error might seem minor, but if an attacker could influence the input of the IP address analyzed by the application, the error can lead to several vulnerabilities. Here we can include omissions from server-side request spoofing (SSRF) to remote control.

An attacker could, for example, create an IP with some or all octets in base 8, in the old JavaScript representation with prefix 0. This bug could be exploited for remote file inclusion in case an attacker creates an address IP that appears private to the netmask.

Keep in mind that for this error CVE-2021-28918 version 2.0.0 of netmask has been released in order to correct it. Once again we can see the importance of always keeping our systems and devices properly updated. Only then can we avoid security problems.