Description
The library did not check for IPv6 loopback attacks. There was also a DNS attack, where an address could be resolved into an internal IP. This could cause internal data leaks.
Recommendation
Update the link-preview-js package to the latest compatible version. Followings are version details:
- Affected version(s): <= 4.0.0
- Patched version(s): 4.0.1
References
Related Issues
- Svelte Vulnerable to XSS via DOM Clobbering of Internal Framework State - CVE-2026-42573
- Server-Side Request Forgery in link-preview-js - CVE-2022-25876
- superagent vulnerable to zip bomb attacks - CVE-2017-16129
- LiquidJS is Vulnerable to Remote Code Execution - CVE-2026-45618
You might also like:
- Tags:
- npm
- link-preview-js
Anything's wrong? Let us know Last updated on May 13, 2026