There is a serious networking vulnerability in netmask, an npm library that numerous applications use to parse CIDR blocks and IPv4 addresses or compare those. The issue relates to netmask’s component with more than 3 million downloads a week on npm.
The bug in netmask results in that library seeing another IP when it parses an IPv4 address that has a leading zero. That happens because of incorrect input validations.
Leading Zero Modifies The Internet Protocol Address
Many security researchers have revealed a fault in the well-known netmask library. That vulnerability concerns the way in which netmask manages mixed-format internet protocol addresses, or the addresses with leading zeroes.
It is possible to present an internet protocol address in various formats, which include integer and hexadecimal. Anyhow, the most prevalent IPv4 resources are shown in decimal formats.
Imagine that you have a decimal IP address such as this: 127.0.0.1, the widely-known localhost address. If you add a 0 at the start of it, then should an app parse it in the new form, as the address without that prefix or another one? Type it in your Google Chrome address bar, and the browser will treat it in the form of an octal IP address. Press the Enter key after typing it, and the address will change to 126.96.36.199, its decimal version. That is how almost every application should handle such an ambiguous IP address.
While 127.0.0.1 represents the usual address for loopback traffic, its vague representation turns it into a public internet protocol address that leads to another host. However, when it comes to netmask, there would be stripping and discarding of any leading zero.
As per IETF’s actual specification, an IPv4 address’s components would be interpretable as octal in the event it starts with a zero. However, netmask ignores that. Netmask will always treat those as decimal components. That means in the event of trying to prove that an internet protocol address is part of a range, then it would not be right for octal IPv4 address representation.
Fixed Version Now Out on NPM
After the responsible vulnerability reporting from the researchers concerned, netmask developer Olivier Poitrey introduced a group of fixes for that fault to Github. Introduced alongside those fixes to it were test cases that confirm that IPv4 address octets with zero at the start are regarded as octal numbers.
While one fix for the vulnerability with an identifier was introduced in netmask 2.0.0 on npm, researcher RyotaK soon regarded the fixes as incomplete.
Therefore, another identifier was assigned to the vulnerability more recently, with a different fix introduced into netmask 2.0.1.