GHSA-4gp8-rjrq-ch6q
Suggest an improvement- Source
- https://github.com/advisories/GHSA-4gp8-rjrq-ch6q
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-4gp8-rjrq-ch6q/GHSA-4gp8-rjrq-ch6q.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-4gp8-rjrq-ch6q
- Aliases
-
- CVE-2026-43897
- Published
- 2026-05-05T20:13:02Z
- Modified
- 2026-05-13T14:35:04.660604Z
- Severity
-
- 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- link-preview-js vulnerable to IPv6 and internal loopback attacks
- Details
-
Impact
The library did not check for IPv6 loopback attacks. There was also a DNS attack, where an address could be resolved into an internal IP. This could cause internal data leaks.
Patches
Problem has been patched in version 4.0.1. However, it cannot be completely solved by the package alone. The regex used for validation has been tightened for IPv6 addresses.
The DNS resolving, however, is more difficult. The regex has been tightened to prohibit .internal, .local, .nip.io and .sslip.io addresses, however there can be other services not on the list, therefore it is imperative that users use the resolveDNSHost option to do DNS resolution before fetching content. To that regard a (scary) error message has been added when the option is not set.
Workarounds
Users can do their own validation before fetching content.
Reported by https://github.com/Andrew-most-likely
- Database specific
{ "github_reviewed_at": "2026-05-05T20:13:02Z", "nvd_published_at": "2026-05-11T22:22:14Z", "cwe_ids": [ "CWE-918" ], "severity": "HIGH", "github_reviewed": true }- References
-
- https://github.com/OP-Engineering/link-preview-js/security/advisories/GHSA-4gp8-rjrq-ch6q
- https://nvd.nist.gov/vuln/detail/CVE-2026-43897
- https://github.com/OP-Engineering/link-preview-js/pull/179
- https://github.com/OP-Engineering/link-preview-js/commit/4396d48909fab37553c0e93e26447fe218363ede
- https://github.com/OP-Engineering/link-preview-js
- https://github.com/OP-Engineering/link-preview-js/releases/tag/4.0.1
Affected packages
npm / link-preview-js
Package
- Name
- link-preview-js
- View open source insights on deps.dev
- Purl
- pkg:npm/link-preview-js