GHSA-h9cw-7g8j-h66h

Suggest an improvement
Source
https://github.com/advisories/GHSA-h9cw-7g8j-h66h
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-h9cw-7g8j-h66h/GHSA-h9cw-7g8j-h66h.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-h9cw-7g8j-h66h
Aliases
  • CVE-2022-25876
Published
2022-07-02T00:00:19Z
Modified
2026-03-13T22:11:55.092789Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Server-Side Request Forgery in link-preview-js
Details

The package link-preview-js before 2.1.17 are vulnerable to Server-side Request Forgery (SSRF) which allows attackers to send arbitrary requests to the local network and read the response. This is due to flawed DNS rebinding protection.

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-06T21:08:37Z",
    "nvd_published_at": "2022-07-01T20:15:00Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-918"
    ]
}
References

Affected packages

npm / link-preview-js

Package

Name
link-preview-js
View open source insights on deps.dev
Purl
pkg:npm/link-preview-js

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.1.17

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-h9cw-7g8j-h66h/GHSA-h9cw-7g8j-h66h.json"