Listen to this Post
The vulnerability stems from improper HTML escaping in three methods of the ip-address library (Address6.group(), Address6.link(), and AddressError.parseMessage) and one helper. Address6.group() takes the raw input stored in this.address (including IPv6 zone IDs after a ‘%’) and passes it to helpers.simpleGroup(), which wraps each colon-separated segment in a without escaping. An attacker can supply a zone ID containing HTML markup like <img src=x onerror=alert(1)>, which is embedded verbatim into the returned HTML string. Address6.link({ prefix, className }) concatenates user-controlled prefix and className directly into href and class attributes without escaping, enabling injection of event handlers (e.g., onmouseover). The Address6 constructor’s parse4in6() function, when handling leading-zero IPv4 errors, builds AddressError.parseMessage by replacing patterns in the raw address via String.replace() before any bad-character filter runs. A crafted input such as `:10.0.01.1` injects HTML into the error message, which is designed to contain markup already. Applications that pass untrusted input to Address6 and then render the output of these methods or the error’s parseMessage as HTML (e.g., via innerHTML) are vulnerable to XSS. The related v6.helpers.spanAll() produced malformed markup but was not exploitable because split(”) limits n to a single character; it was hardened for consistency.
dailycve form:
Platform: ip-address npm
Version: <=10.1.0
Vulnerability: XSS (HTML escape)
Severity: medium
date: 2023-10-16
Prediction: 2023-10-17
What Undercode Say:
Check installed version npm list ip-address Upgrade to patched version npm install [email protected] Search for vulnerable methods in codebase grep -r ".group()|.link()|.spanAll()|parseMessage" --include=".js" .
// Vulnerable pattern example
const { Address6 } = require('ip-address');
const userInput = 'fe80::1%<img src=x onerror=alert(1)>';
const addr = new Address6(userInput);
document.body.innerHTML = addr.group(); // XSS
Exploit:
Crafted IPv6 address with zone ID containing HTML/JavaScript, e.g., `fe80::1%` triggers XSS when group() output inserted via innerHTML. For link():
{ prefix: 'javascript:alert(1)', className: 'x onmouseover=alert(1)' }. For parseMessage: `:10.0.01.1` as Address6 input.
Protection from this CVE:
Upgrade to version 10.1.1 or later. If unable, sanitize input: reject any string containing ‘%’ or non-hex/colon/slash characters using Address6.isValid() before constructor. Never render group(), link(), spanAll(), or error.parseMessage as HTML – use textContent or DOMPurify (e.g., DOMPurify.sanitize(addr.group())).
Impact:
Extremely limited – analysis of 425 dependent npm packages and GitHub code search found zero consumers of group(), link(), or spanAll(). Only applications explicitly rendering those outputs as HTML with untrusted input are affected. Parsing/comparison APIs (isValid, correctForm, etc.) remain safe.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
