Server-side Request Forgery (SSRF) Affecting link-preview-js package, versions <2.1.16


0.0
medium

Snyk CVSS

    Attack Complexity Low
    Confidentiality High

    Threat Intelligence

    Exploit Maturity Proof of concept
    EPSS 0.07% (29th percentile)
Expand this section
NVD
5.5 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-LINKPREVIEWJS-2933520
  • published 29 Jun 2022
  • disclosed 22 Jun 2022
  • credit Reworr

How to fix?

Upgrade link-preview-js to version 2.1.16 or higher.

Overview

link-preview-js is a Javascript module to extract and fetch HTTP link information from blocks of text.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) which allows attackers to send arbitrary requests to the local network and read the response. This is due to flawed DNS rebinding protection.

PoC:

  1. Find domain that resolved to private address with reverse ip lookup or use domains localtest.me (127.0.0.1) or devhead.net (127.0.0.1 + 192.168.1.1 + 192.168.0.1).

  2. Write it to getLinkPreview.

  3. You see content from your local address.

References