Description
The package link-preview-js before 2.1.17 are vulnerable to Server-side Request Forgery (SSRF) which allows attackers to send arbitrary requests to the local network and read the response. This is due to flawed DNS rebinding protection.
Recommendation
Update the link-preview-js package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.1.17
- Patched version(s): 2.1.17
References
Related Issues
- uppy's companion module is vulnerable to Server-Side Request Forgery (SSRF) - CVE-2022-0086
- uppy's companion module is vulnerable to Server-Side Request Forgery (SSRF) (GHSA-x8rq-rc7x-5fg5) - CVE-2022-0086
- Server-Side Request Forgery in @peertube/embed-api - CVE-2022-0508
- Server-Side Request Forgery in axios - CVE-2024-39338
- Tags:
- npm
- link-preview-js
Anything's wrong? Let us know Last updated on January 27, 2023