CVE-2022-25876

low-risk
Published 2022-07-01

The package link-preview-js before 2.1.16 are vulnerable to Server-side Request Forgery (SSRF) which allows attackers to send arbitrary requests to the local network and read the response. This is due to flawed DNS rebinding protection.

Do I need to act?

-
0.07% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.2/10 Medium
LOCAL / LOW complexity

Affected Products (1)

Link-Preview-Js

Affected Vendors

Link-Preview-Js Project

References (6)

Exploit https://github.com/ospfranco/link-preview-js/issues/115
Patch https://github.com/ospfranco/link-preview-js/pull/117
Exploit https://snyk.io/vuln/SNYK-JS-LINKPREVIEWJS-2933520
Exploit https://github.com/ospfranco/link-preview-js/issues/115
Patch https://github.com/ospfranco/link-preview-js/pull/117
Exploit https://snyk.io/vuln/SNYK-JS-LINKPREVIEWJS-2933520
25
/ 100
low-risk
Severity 20/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal