With almost 3 million weekly downloads, netmask has scored more than 238 million total downloads over its lifetime. What’s more, around 279,000 GitHub repositories depend on the component.

Yesterday, cybersecurity analysts Sick Codes, Victor VialeJohn Jackson, Nick Sahler, and Kelly Kaoudis, have disclosed a vulnerability (CVE-2021-28918) in the popular npm netmask library. As a result of improper validations in place, netmask sees a different IP when parsing an IP address with a leading zero.

More than a quarter of a million other projects use netmask to do something. For almost a decade, netmask has been incorrectly reading octal input data as a string; just stripping the 0 at the front and using the rest of the data as legitimate. Are all 270,000 projects vulnerable? Well, most likely no: it depends entirely on how the project uses it.


Although most commonly seen IPv4 addresses are expressed in decimal format, an IP address has a variety of formats, including hexadecimal and integer.

According to ITEF’s Textual Representation of IPv4 and IPv6 Addresses, parts of an IPv4 address can be interpreted as octal if prefixed with a “0”.

However, as per Sahler and Viale,

netmask ignores this. It will always consider parts as being decimal, which means that if you try and validate that an IP belongs in a range, it will be wrong for octal-based representations of IPv4 addresses.


This bug may not seem very important, but let’s imagine that an attacker is able to influence the IP address input parsed by the application. The bug can trigger various vulnerabilities, including Server-Side Request Forgery (SSRF) bypasses and Remote File Inclusion (RFI).


Back in 2018, an identical flaw was found by popular software project curl, treating parse octal IPv4 addresses as a decimal. According to Ax Sharma, running “curl -v 0177.0.0.1” had curl connecting to as opposed to the loopback address

Many network infrastructure and security products rely on netmask to filter out IPs present on blocklists and allowlists. If left unchecked, vulnerabilities like these can lead to a serious failure in perimeter security controls.

After the vulnerability was reported, netmask developer Olivier Poitrey released a series of fixes for the bug, along with test cases validating that IPv4 octets with 0-prefixes are treated as octal and not decimal numbers.

Additionally, the CVE-2021-28918 fix has been released in version 2.0.0 of netmask on npm downloads.

10 Common Network Vulnerabilities and How to Prevent Them

Why Removing Admin Rights Closes Critical Vulnerabilities in Your Organization

Patch Tuesday, March 2021: Microsoft Releases Several Out-of-Band Patches for Windows Exposures, Including Four Documented Zero-Day Server Exchange Vulnerabilities

Leave a Reply

Your email address will not be published. Required fields are marked *