Critical “Netmask” npm Package Flaw Affects Hundreds of Thousands of Applications

Apart from this, the component has acquired more than 238 million downloads till now in its life time, and near about 278,000 GitHub repositories are also based on the netmask.

Cybersecurity researchers Victor Viale, Sick Codes, Nick Sahler, Kelly Kaoudis, and John Jackson have just recently identified a serious networking vulnerability in the Netmask npm bundle. In general, the apps use the Netmask to parse IPv4 addresses, and the CIDR relates them.

Due to the presence of the bug in the library, the netmask goes to an unique IP while parsing an IP address with absolutely no in the lead, and this happens due to the inaccurate recognitions in place.

Leading Zero Alters the IP address

While I tried this on the address bar of my Chrome web internet browser, it parsed me to this IP “,” as this is how the apps are made to handle these kind of obscure IPs.

The security defect that is being identified by the security professionals is identified as “CVE-2021-28918,” and this flaw impacts the working approach and chain of the netmask.

The IPv4 addresses are usually revealed in decimal format, however the fact is that an IP address can be revealed in numerous formats.

Lets make it a bit more clear, expect your systems IPv4 address interpreted in decimal format (, however due to the bug, the very same IP might be shown as 0780.0034.0014.0214, in octal format.

Suppose we give you an IP in a decimal format which is broadly developed as the local loopback address or localhost, “” What if here we ask you to put a 0 before it? Will it parse 0127.0.0.1 as or something else?

SSRF bypass to Remote File Inclusion

Security repairs

This bug may appear harmless, but, in reality, this defect can lead an attacker to affect the IP address input and speed up the inflation of numerous other security flaws from Server-Side Request Forgery (SSRF) bypass to RFI (Remote File Inclusion).

There are lots of jobs that use the netmask for IP parsing, whichs why this security vulnerability is worrying security analysts.

You can follow us on Linkedin, Twitter, Facebook for day-to-day Cybersecurity, and hacking news updates.

The cybersecurity experts who have actually found and reported the “CVE-2021-28918” flaw has pressed out a series of fixes. And with the netmask variation 2.0.0, the researchers have actually repaired the “CVE-2021-28918” security flaw.

So, currently, the security experts have highly recommended the users update their out-of-date netmask version to the repaired version 2.0.0. And to spread this awareness, they have actually also released their findings on different platforms.

Furthermore, the danger actors can easily exploit this defect for Remote File Inclusion (RFI) with an IP address that appears personal to the netmask.