Server-side Request Forgery (SSRF) Affecting link-preview-js package, versions <2.1.16


0.0
medium
  • Exploit Maturity

    Proof of concept

  • Attack Complexity

    Low

  • Confidentiality

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-JS-LINKPREVIEWJS-2933520

  • published

    29 Jun 2022

  • disclosed

    22 Jun 2022

  • credit

    Reworr

How to fix?

Upgrade link-preview-js to version 2.1.16 or higher.

Overview

link-preview-js is a Javascript module to extract and fetch HTTP link information from blocks of text.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) which allows attackers to send arbitrary requests to the local network and read the response. This is due to flawed DNS rebinding protection.

PoC:

  1. Find domain that resolved to private address with reverse ip lookup or use domains localtest.me (127.0.0.1) or devhead.net (127.0.0.1 + 192.168.1.1 + 192.168.0.1).

  2. Write it to getLinkPreview.

  3. You see content from your local address.

References