Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
netmask package issue
See original GitHub issueChore summary See
- https://github.com/advisories/GHSA-pch5-whg9-qr2r
- https://sick.codes/universal-netmask-npm-package-used-by-270000-projects-vulnerable-to-octal-input-data-server-side-request-forgery-remote-file-inclusion-local-file-inclusion-and-more-cve-2021-28918/
Log
❯ yarn why netmask
yarn why v1.22.10
[1/4] 🤔 Why do we have the module "netmask"...?
[2/4] 🚚 Initialising dependency graph...
[3/4] 🔍 Finding dependency...
[4/4] 🚡 Calculating file sizes...
=> Found "netmask@1.0.6"
info Reasons this module exists
- "_project_#smartlint#@stoplight#spectral#proxy-agent#pac-proxy-agent#pac-resolver" depends on it
- Hoisted from "_project_#smartlint#@stoplight#spectral#proxy-agent#pac-proxy-agent#pac-resolver#netmask"
info Disk size without dependencies: "60KB"
info Disk size with unique dependencies: "60KB"
info Disk size with transitive dependencies: "60KB"
info Number of shared dependencies: 0
✨ Done in 0.53s.
Issue Analytics
- State:
- Created 2 years ago
- Reactions:3
- Comments:9 (2 by maintainers)
Top Results From Across the Web
The npm netmask vulnerability explained so you can actually ...
The npm netmask package incorrectly evaluates individual ipv4 octets that contain octal strings as left-stripped integers, leading to an ...
Read more >Critical netmask networking bug impacts thousands of ...
The bug present in the library means when parsing an IP address with a leading zero, netmask sees a different IP due to...
Read more >netmask - npm
Parse and lookup IP network blocks. Latest version: 2.0.2, last published: 2 years ago. Start using netmask in your project by running `npm ......
Read more >Universal "netmask" npm package, used by ... - Sick Codes
The following research outlines a vulnerability discovered in netmask npm package that is currently used by 278,722+ other projects.
Read more >Vulnerability in 'netmask' npm Package Affects 280000 Projects
A vulnerability in the netmask npm package could expose private networks and lead to a variety of attacks, including malware delivery.
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
This security vulnerability is already patched with the
proxy-agentupdate to 4.0.1.We need this patch pushed ASAP, a quick
5.9.1would be greatly appreciated. I’d be happy to fork off the v5.9.0 tag if some of the changes in thedevelopbranch are not readyThe relevant defect on pac-resolver is: https://github.com/TooTallNate/node-pac-resolver/issues/26
There is a PR out on pac-resolver with netmask updated: https://github.com/TooTallNate/node-pac-resolver/pull/25