Description
The package link-preview-js before 2.1.17 are vulnerable to Server-side Request Forgery (SSRF) which allows attackers to send arbitrary requests to the local network and read the response. This is due to flawed DNS rebinding protection.
Recommendation
Update the link-preview-js package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.1.17
- Patched version(s): 2.1.17
References
Related Issues
- Server-Side Request Forgery in @peertube/embed-api - CVE-2022-0508
- uppy's companion module is vulnerable to Server-Side Request Forgery (SSRF) (GHSA-x8rq-rc7x-5fg5) - CVE-2022-0086
- uppy's companion module is vulnerable to Server-Side Request Forgery (SSRF) - CVE-2022-0086
- cors-anywhere vulnerable to server-side request forgery - CVE-2020-36851
- Tags:
- npm
- link-preview-js
Anything's wrong? Let us know Last updated on January 27, 2023