Description
The package link-preview-js before 2.1.17 are vulnerable to Server-side Request Forgery (SSRF) which allows attackers to send arbitrary requests to the local network and read the response. This is due to flawed DNS rebinding protection.
Recommendation
Update the link-preview-js package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.1.17
- Patched version(s): 2.1.17
References
Related Issues
- Server-Side Request Forgery in @peertube/embed-api - CVE-2022-0508
- uppy's companion module is vulnerable to Server-Side Request Forgery (SSRF) - CVE-2022-0086
- uppy's companion module is vulnerable to Server-Side Request Forgery (SSRF) - uppy - CVE-2022-0086
- Parse Server is vulnerable to Server-Side Request Forgery (SSRF) via Instagram OAuth Adapter - CVE-2025-68150
You might also like:
- Tags:
- npm
- link-preview-js
Anything's wrong? Let us know Last updated on January 27, 2023