Description
The package link-preview-js before 2.1.17 are vulnerable to Server-side Request Forgery (SSRF) which allows attackers to send arbitrary requests to the local network and read the response. This is due to flawed DNS rebinding protection.
Recommendation
Update the link-preview-js package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.1.17
- Patched version(s): 2.1.17
References
Related Issues
- min-document vulnerable to prototype pollution - CVE-2025-57352
- Vite bypasses server.fs.deny when using ?raw?? - CVE-2025-30208
- GetmeUK ContentTools Cross-Site Scripting (XSS) - CVE-2025-2699
- node-gettext vulnerable to Prototype Pollution - CVE-2024-21528
- Tags:
- npm
- link-preview-js
Anything's wrong? Let us know Last updated on January 27, 2023