CVE-2021-28918
CRITICAL NUCLEInetmask < 1.0.6 - Unauthenticated SSRF RFI and LFI via Octal String Bypass
Title source: llmExploitation Summary
CVE-2021-28918 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.
Description
Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts.
Nuclei Templates (1)
Netmask NPM Package - Server-Side Request Forgery
CRITICALby johnjhacking
References (7)
Core 7
Core References
Product, Third Party Advisory x_refsource_misc
https://www.npmjs.com/package/netmask
Exploit, Press/Media Coverage, Third Party Advisory x_refsource_misc
https://www.bleepingcomputer.com/news/security/critical-netmask-networking-bug-impacts-thousands-of-applications/
Third Party Advisory x_refsource_misc
https://github.com/advisories/GHSA-pch5-whg9-qr2r
Exploit, Third Party Advisory x_refsource_misc
https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20210528-0010/
Third Party Advisory x_refsource_misc
https://rootdaemon.com/2021/03/29/vulnerability-in-netmask-npm-package-affects-280000-projects/
Scores
CVSS v3
9.1
EPSS
0.1636
EPSS Percentile
96.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Details
CWE
CWE-704
Status
published
Products (2)
netmask_project/netmask
< 1.0.6
npm/netmask
0 - 1.1.0npm
Published
Apr 01, 2021
Tracked Since
Feb 18, 2026