CVE-2022-25876

Published: Jul 1, 2022Modified: Nov 21, 2024

5.5

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 1.8 / Impact: 3.6

Source: NVD

Description

The package link-preview-js before 2.1.16 are vulnerable to Server-side Request Forgery (SSRF) which allows attackers to send arbitrary requests to the local network and read the response. This is due to flawed DNS rebinding protection.

Affected (1)

Products: Link Preview Js Project: Link Preview Js

Link Preview Js Project

1 product

Link Preview Js

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Link Preview Js Project Link Preview Js	Before 2.1.16

Related CWEs

CWE-918

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (6)

https://github.com/ospfranco/link-preview-js/issues/115

Source: report@snyk.io

ExploitIssue TrackingThird Party Advisory

https://github.com/ospfranco/link-preview-js/pull/117

Source: report@snyk.io

PatchThird Party Advisory

https://snyk.io/vuln/SNYK-JS-LINKPREVIEWJS-2933520

Source: report@snyk.io

ExploitThird Party Advisory

https://github.com/ospfranco/link-preview-js/issues/115

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingThird Party Advisory

https://github.com/ospfranco/link-preview-js/pull/117

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://snyk.io/vuln/SNYK-JS-LINKPREVIEWJS-2933520

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.