{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/link-preview-js--4.0.0/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["link-preview-js (\u003c= 4.0.0)"],"_cs_severities":["high"],"_cs_tags":["link-preview-js","loopback","ipv6","dns","internal-ip"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003elink-preview-js\u003c/code\u003e library, versions 4.0.0 and earlier, is susceptible to IPv6 loopback and internal IP address resolution attacks. This vulnerability arises because the library lacks proper validation for IPv6 loopback addresses and fails to adequately prevent DNS resolution to internal IP addresses. An attacker could exploit this to potentially leak internal data by causing the library to fetch content from internal services. Version 4.0.1 addresses this vulnerability by tightening the regex used for validation for IPv6 addresses and prohibiting \u003ccode\u003e.internal\u003c/code\u003e, \u003ccode\u003e.local\u003c/code\u003e, \u003ccode\u003e.nip.io\u003c/code\u003e and \u003ccode\u003e.sslip.io\u003c/code\u003e addresses. Users are strongly encouraged to use the \u003ccode\u003eresolveDNSHost\u003c/code\u003e option to perform DNS resolution before fetching content.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a URL that resolves to an internal IP address or an IPv6 loopback address.\u003c/li\u003e\n\u003cli\u003eThe attacker provides the malicious URL to an application using the vulnerable \u003ccode\u003elink-preview-js\u003c/code\u003e library.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003elink-preview-js\u003c/code\u003e library fetches the URL to generate a preview, without proper validation of the resolved IP address.\u003c/li\u003e\n\u003cli\u003eThe library resolves the hostname, potentially using a DNS server controlled by the attacker or vulnerable to DNS poisoning.\u003c/li\u003e\n\u003cli\u003eThe DNS resolution returns an internal IP address (e.g., 127.0.0.1, ::1, 192.168.x.x, 10.x.x.x, 172.16.x.x).\u003c/li\u003e\n\u003cli\u003eThe library connects to the internal IP address, potentially accessing internal services or resources.\u003c/li\u003e\n\u003cli\u003eThe application using \u003ccode\u003elink-preview-js\u003c/code\u003e processes the response from the internal service.\u003c/li\u003e\n\u003cli\u003eSensitive internal data is leaked as part of the link preview generation process.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability could lead to the exposure of sensitive internal data. An attacker could potentially gain access to internal services, configuration files, or other resources that are not intended for public access. The specific impact depends on the nature of the internal services and data exposed. This vulnerability affects applications using \u003ccode\u003elink-preview-js\u003c/code\u003e version 4.0.0 or earlier, before the fix in version 4.0.1.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003elink-preview-js\u003c/code\u003e to version 4.0.1 or later to address the vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement additional validation of URLs and IP addresses before passing them to \u003ccode\u003elink-preview-js\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eUse the \u003ccode\u003eresolveDNSHost\u003c/code\u003e option to do DNS resolution before fetching content as suggested in the advisory.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for outbound requests to internal IP address ranges originating from processes using \u003ccode\u003elink-preview-js\u003c/code\u003e. Deploy the \u003ccode\u003eDetect Outbound Connection to Internal IP Range\u003c/code\u003e Sigma rule to identify potential exploitation.\u003c/li\u003e\n\u003cli\u003eImplement the \u003ccode\u003eDetect DNS queries for internal TLDs\u003c/code\u003e Sigma rule to identify DNS queries for internal domains such as \u003ccode\u003e.internal\u003c/code\u003e, \u003ccode\u003e.local\u003c/code\u003e, \u003ccode\u003e.nip.io\u003c/code\u003e and \u003ccode\u003e.sslip.io\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eApply network segmentation and access controls to limit the exposure of internal services.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-link-preview-js-loopback/","summary":"link-preview-js versions 4.0.0 and earlier are vulnerable to IPv6 and internal loopback attacks, allowing potential internal data leaks by resolving addresses to internal IPs; patched in version 4.0.1.","title":"link-preview-js vulnerable to IPv6 and internal loopback attacks","url":"https://feed.craftedsignal.io/briefs/2024-01-link-preview-js-loopback/"}],"language":"en","title":"CraftedSignal Threat Feed — Link-Preview-Js (\u003c= 4.0.0)","version":"https://jsonfeed.org/version/1.1"}